[Updates] Satoshi•Pie Ethereum multisig has been hacked
In this the post, we will keep you updated on the incident.
Contract address : 0xD0f706bF4738732145344Dc407d36b88859C3349
23:02 PM local time 19 July 2017
Has been withdrawn to unknown destination all ethers and all tokens except AIR and ANT. Working on withdrawing MYS.
23:10 PM local time
According to Etherscan this hack was likely rescued by White hats
23:38 PM local time
Current estimated impact: $7 641 533 as of last clearance round
00:06 AM local time 20 July 2017
At the moment investment process has been stopped because Ethereum blockchain software is under attack. SPIES tokens are safe (issued by BitShares)
00:12 AM local time
Currently,, address MultisigExploit-WhiteHat sending transactions to (probably) new multisig contracts
00:52 AM local time
Estimation of vulnerable code based on contract version where White hats are sending values.
8 lines updated
UPDATE (20/07/17, 00:26 CEST): Future multi-sig wallets created by versions of Parity are secure. Fix in the code is https://github.com/paritytech/parity/pull/6103 and the newly registered code is https://etherscan.io/tx/0x5f0846ccef8946d47f85715b7eea8fb69d3a9b9ef2d2b8abcf83983fb8d94f5f.
11:52 AM local time
We are waiting for the the annnouncement by White Hats Group. 2 scenarios:
- If they send funds back losses will be 0.8% of Satoshi•Pie (MYST token)
- If not losses will be 39.2% of Satoshi•Pie (all ETH and tokens except ANT and AIR)
According to our intuition, the 1 scenario is likely to happen but we cannot predict the time. We are starting to process yesterday deposits and withdrawals as they should happen before incident timestamp Jul-19-2017 06:34:46 PM +UTC.
02:44 PM local time
Damage valuation as of current valuation round:
04:03 PM local time
Official statement by (Satoshi•Fund) and Fund managers
(to be published in all official channels)
Working on vulnerability in Etheruem multisig contract
Yesterday in Jul-19-2017 06:34:46 PM first transaction hit our multisig Satoshi•Pie contract. The majority of funds was siphoned in 2 minutes (all ETH) and all ERC20 tokens except ANT, AIR, and MYST) in 1 hour. The breach led to not identified accounts. We reacted in less than 2 hours and successfully use exploit to drain remaining tokens ANT and AIR to address under our control. MYST attempts were unsuccessful. The history can be audited using Etherscan. Incident Log can be found in English and Russian
In parallel become known that withdrawn has been done by White Hats Group. Now we are waiting for refund according to this statement of WHG on Reddit. After fast investigation become clear that damage is not existential and we are able to continue operations. 2 hours ago we processed yesterday deposits and withdrawals that anyway should happen before incident timestamp.
Our strategy is the following:
- We are going to continue to provide best in breed blockchain asset management service.
- We are changing valuation cycle from 24 hours to 1 week for Satoshi•Pie product.
- That means that since now all withdrawals and deposits will be possible once in a week. If recovery will happen earlier we will let to withdraw on a daily basis for everybody during this transmission week.
- We are implementing a hard limit on deposits and withdrawals at 10 BTC for one transaction. Fewer transactions should go through the market.
- We consider moving Ethereum holdings (if recovered) to Zeppelin smart contract framework.
- If not recovered by White Hats Group in 1 week we will provide us a path for alternative recovery strategies.
- We are going to publish bug bounty program.
Thank you that you are with us. For those who are not happy with our service please be patient. You will be able to withdraw all your funds according to our terms.
The new version of Satoshi•Pie white paper will be published with updates soon.
01:00 PM local time 22 July 2017
We confirmed to WHG that setting parameters for deployed contracts are valid.
Now we are waiting until WHG get enough evidence from a community that all calculations are correct before deploying new contracts.
05:18 PM local time 25 July 2017
All values has been returned under SatoshiPie control. The new contract.
Until full security audit will not be finished in order to reduce risks some part of holdings will be under direct control of fund managers using this accounts: