I can’t help but to point out that this hack likely wouldn’t have taken place if we stick to the old (and correct!) way of dealing with ICP account IDs! The whole thing about ICRC-1 account id being user principal was a horrible mistake.
Principal by its original design was only used to represent identities, which are only visible to canisters or developers, not end users. Because principals are now publicly exposed by ICRC token ledgers and apps such as in Odin.fun, it facilitates this hack because the attacker can easily identify who to target. Had we stuck to using the old ICP account IDs, the hacker would need to either hack into users’ computers or Ordin’s canisters (i.e. subnet nodes), before they can obtain such information.
Sure, obscurity is not security. But mixing up sensitive information (i.e. identities) with public information (i.e. account ids) definitely facilitated this hack, and likely many more to come.
To fix this, we must first admit that ICRC-1 was a mistake, which was called out many times in threads like this one and this one. Until we are more honest about mistakes like this, hacks like this will keep happening!