Statement on the Parity multi-sig wallet vulnerability and the Cappasity ARtoken crowdsale
A vulnerability in the Parity multi-sig wallet contract was found on November 7. It caused funds held in Parity multi-sig wallets created after July 20 to be temporarily inaccessible. According to crypto eli5, 151 wallets have been frozen, with their balances being 513,743 ETH or $152 million in total. According to Parity Technologies, 573 wallets have been affected and their total balance is unknown.
We would like to note that the Cappasity platform and the content stored there are secure, the functionality of the platform is unaffected and everything functions as usual. The detected vulnerability in no way affected the BTC wallet of our crowdsale, other company’s accounts or our current business activities.
Unfortunately, the ETH wallet of our crowdsale was using the affected Parity multi-sig contract. The wallet is not accessible now and will remain inaccessible until the situation is resolved. The details can be viewed here, our wallet is the ninth in the list.
During our ICO, we accept funds via interim wallets and transfer them to the main wallet after the funds transfers are validated. This procedure is necessary to provide additional security. At the moment, we are running the crowdsale in regular mode. However, we have stopped the transfer of funds to the main ETH wallet until further information on the situation is received from Parity Technologies and the situation is resolved.
Currently, our funds for a total of 3264 ETH (~ $1M) are frozen. How could this situation affect the achievement of the planned milestones? The development of the project is financed by angel investors — Cappasity raised more than $1.8M in total. The existing partners of the company could compensate for the frozen funds if it becomes necessary. We have already received a number of smart-money offers from angels and VCs.
Over 10,000 people have already registered on the crowdsale portal and are ready to become participants of the first AR/VR Ecosystem for 3D content exchange. We highly appreciate the trust and support of our community! Your publications and posts about Cappasity and ARtoken help us become bigger and more visible day by day.
We are confident that Parity Technologies and Ethereum Foundation will find a way out of the current situation and projects that use the Parity wallet will not be affected. This is of significant importance to the development of the Ethereum ecosystem and the trust in smart contracts.
*****
The ARToken team’s opinion on the reasons behind the freezing of $152 million:
Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate. On Nov-06–2017, at 04:02:51 PM +UTC, they tried to call execute (address _to, uint256 _value, bytes _data) of ARToken’s smart contract:https://etherscan.io/tx/0xfdca7bf55048d2d53d3851fe988a67cac7e67e9757c3d1aaf294db358c728ea3
The same user (Nov-06–2017 04:01:46 PM + UTC) called execute(..) of Polkadot’s smart contract, its frozen funds account for more than $90 million in total:
https://etherscan.io/tx/0xbf13ed4c9af0e56b066f368f09d102be0d185d309f491a19c84bda0ae95ec9fa
Polkadot wallet https://etherscan.io/address/0x3bfc20f0b9afcace800d73d2191166ff16540258
The day before: the functions changeOwner (address _from, address _to) and kill (address _to) were called.
When you are tracking all their transactions, you realize that they were deliberate:
https://etherscan.io/address/0xae7168deb525862f4fee37d987a971b385b96952
Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking.
We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies will be the right next step.