Ethereum’s Parity Critical Multisig Vulnerability Leads to a $32 Million Theft – Trustnodes

Ethereum’s Parity Critical Multisig Vulnerability Leads to a $32 Million Theft

0

Parity’s multisig feature had a critical vulnerability which led to the theft of some $32 million worth of ethereum from ICOs, at the time of writing.

Parity’s multisig feature has a critical vulnerability

Jamie Pitts, an ethereum developer, said:

“The vulnerability is in Parity’s “enhanced” multi-sig contract. This affects Parity 1.5 and later. Parity 1.5 was released on January 19, 2017 (have you created multi-sigs in Parity since then?). The canonical multi-sig contract used in Mist/Ethereum Wallet does NOT have this vulnerability.”

Ethereum developer Alex Van De Sande stated more than $160 million worth of eth and tokens were “saved,” but the thief run away with $30 million.

Rumors circulating the thief is the same or connected to the DAO hacker.

An Ethereum address holding some $75 million worth of eth has the below statement:

“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.

The White Hat account currently holding the rescued funds is https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a.

If you hold a multisig contract that was drained, please be patient. They will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and will return your funds to you there.”

The White Hat Group was formed after the Slockit DAO hack last year to try and rescue funds from the hacker.

The bug has now been fixed. There apparently was an oversight regarding the initWallet function which, if not marked as internal, defaults to public. That allows anyone to call the function and set themselves as the contract owner.

It appears to have been a simple, but very costly, bug. As such, questions are being raised as to how no one caught it before hand. While others may be intrigued by the hacker, who was seemingly able to see what others couldn’t, suggesting quite a level of intelligence.

 

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments