On July 19 the ethereum community was warned that the Parity client version 1.5 and above contained a critical vulnerability in the multi-signature wallet feature.
A group of multi-signature “black hat exploiters” has managed to drain 150,000 ether from multi-sig wallets and ICO projects.
Also Read: Ethereum Millionaires Might Be Attracting Attention From Regulators
A Vulnerability Found in the Multi-Signature Contract “Wallet.sol” Used in Parity Clients
Ethereum's Parity Client Users Lose Millions in a Multi-Sig HackAccording to the company Parity and the firm’s founder Gavin Wood, the startup’s product the Parity wallet version 1.5 and above contained a bug that enabled the theft of $30 million worth of ETH. The vulnerability discovered in these specific Parity wallets used a multi-signature contract called “wallet.sol” and the contract was utilized by a few initial coin offerings (ICO) as well. Circulating reports believe that three particular ICO projects were compromised including Swarm City, æternity, and Edgeless Casino.
The Parity startup had issued a security warning on its website on July 19 detailing the extent of the issue stating;
A vulnerability in Parity Wallet’s variant of the standard multi-sig contract has been found — Immediately move assets contained in the multi-sig wallet to a secure address.
The Mysterious ‘White Hat Group’ Returns to Rescue Funds
Ethereum's Parity Client Users Lose Millions in a Multi-Sig HackFollowing this incident, a group of unknown “white hat group” hackers took it upon themselves to drain the rest of the vulnerable multi-sig wallets by sweeping the network. According to the group, they recovered 377,105 ether worth about $85M at the time of writing. The group says they will be returning the funds to accounts that have been drained and are using the DAO rescue donations for the gas to send the ether forward.
“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract,” explains the hacker’s announcement. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”
If you hold a multisig contract that was drained, please be patient. We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there. We will be using the donations sent to us from The DAO Rescue to pay for gas.
How Many More Faulty Contracts Will Be Found in the Future?
The news of the vulnerability comes just after the Coindash ICO hack last week which saw the loss of $10M worth of ether. The malicious hacks from that event last week and yesterday’s multi-signature wallet drain has had little effect on the price of ethereum. However, the cryptocurrency community is once again discussing the issue of faulty contracts held within the Ethereum network that currently hold millions of dollars in funds. Close to a quarter of a billion dollars in ether has been drained by either the “black hat exploiters” or the “white hat group” since the notorious DAO debacle last year.
What do you think about the latest multi-signature wallet ethereum hacks? Let us know in the comments below.
Images via Pixabay, and the Parity Tech website.
Source: bitcoin.com
I wanted to partner with one of the wallet providers that implemented multi-signatory system for my upcoming site coinratecap.com, but I had a second thought about safety of the users, so I decided not to go further with the partnership. Reason is, any cryptocurrency saved on a server is risky. However, is best customers manage their cryptocurrency than to have it saved on the server. Users should have access to their private and public keys. At least, the level of risk involved when managing it yourself is low, rather than when a user wakes one morning only to see that his digital coin has disappeared, it's quite devastating and intolerable. This is one of the major reasons I partnered with shapeshift. Every exchange should consider the safety of every user first before any other thing.