This article is more than 1 year old
$30 million below Parity: Ethereum wallet bug fingered in mass heist
Crypto-cash leak made possible by software stuff-up
A vulnerability in Parity's Ethereum wallet software has been exploited by thieves to rob victims on a massive scale.
A few hours ago, Parity told its users to move their ETH holdings from their in-browser wallets to more secure accounts immediately:
IMPORTANT: SECURITY ALERT: https://t.co/h5vc0KwAxS Move funds in multi-sig wallet created in Parity Wallet 1.5 or higher immediately.
— Parity Technologies (@ParityTech) July 19, 2017
The warning came after three transactions appeared on Etherscan.io, in which accounts were drained of 150,000 coins worth just over US$30 million at the current price. It's understood a trivial programming blunder in Parity's code allowed crooks to hijack strangers' wallets at will.
Coindesk reports 377,000 more Ether were at risk of theft, but were drained into holding accounts by white hats. That gallant action was outlined by Kurt Knudsen on Parity's Gitter channel:
The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts. The White Hat account currently holding the rescued funds is [here].
Over at Reddit, the white hats promised the funds will be returned: “We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there.”
Parity's security alert points the finger at the multi-sig contract wallet wallet.sol, and says it affected Parity 1.5 implementations or later.
On Twitter, Arkadiy Kukarkin (@parkan) identified the pull request that seems to be the problem:
2000+ line changeset containing critical code merged w/out security review or formal signoff, 1 person commenting. Maybe not best practices https://t.co/a3oLApX41Y
— Arkadiy Kukarkin (@parkan) July 19, 2017
One of the victims of the heist has self-identified as Swarm City. Edgeless Casino and the æternity blockchain were also hit, we're told.
The attack comes hard on the heels of $7 million worth of Ethereum hijacked from Israeli startup CoinDash. ®