$30 million below Parity: Ethereum wallet bug fingered in mass heist

Crypto-cash leak made possible by software stuff-up

A vulnerability in Parity's Ethereum wallet software has been exploited by thieves to rob victims on a massive scale.

A few hours ago, Parity told its users to move their ETH holdings from their in-browser wallets to more secure accounts immediately:

The warning came after three transactions appeared on Etherscan.io, in which accounts were drained of 150,000 coins worth just over US$30 million at the current price. It's understood a trivial programming blunder in Parity's code allowed crooks to hijack strangers' wallets at will.

Coindesk reports 377,000 more Ether were at risk of theft, but were drained into holding accounts by white hats. That gallant action was outlined by Kurt Knudsen on Parity's Gitter channel:

The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts. The White Hat account currently holding the rescued funds is [here].

Over at Reddit, the white hats promised the funds will be returned: “We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there.”

Parity's security alert points the finger at the multi-sig contract wallet wallet.sol, and says it affected Parity 1.5 implementations or later.

On Twitter, Arkadiy Kukarkin (@parkan) identified the pull request that seems to be the problem:

One of the victims of the heist has self-identified as Swarm City. Edgeless Casino and the æternity blockchain were also hit, we're told.

The attack comes hard on the heels of $7 million worth of Ethereum hijacked from Israeli startup CoinDash. ®


Biting the hand that feeds IT © 1998–2017