On July 19 the ethereum community was warned that the Parity client version 1.5 and above contained a critical vulnerability in the multi-signature wallet feature. Further, a group of multi-signature “black hat exploiters” has managed to drain 150,000 ether from multi-sig wallets and ICO projects.
A Vulnerability Found in the Multi-Signature Contract “Wallet.sol” Used in Parity Clients
According to the company Parity and the firm’s founder Gavin Wood, the startup’s product the Parity wallet version 1.5 and above contained a bug that enabled the theft of $30 million worth of ETH. The vulnerability discovered in these specific Parity wallets used a multi-signature contract called “wallet.sol” and the contract was utilized by a few initial coin offerings (ICO) as well. Circulating reports believe that three particular ICO projects were compromised including Swarm City, æternity, and Edgeless Casino.
The Parity startup had issued a security warning on its website on July 19 detailing the extent of the issue stating;
A vulnerability in Parity Wallet’s variant of the standard multi-sig contract has been found — Immediately move assets contained in the multi-sig wallet to a secure address.
The Mysterious ‘White Hat Group’ Returns to Rescue Funds
Following this incident, a group of unknown “white hat group” hackers took it upon themselves to drain the rest of the vulnerable multi-sig wallets by sweeping the network. According to the group, they recovered 377,105 ether worth about $85M at the time of writing. The group says they will be returning the funds to accounts that have been drained and are using the DAO rescue donations for the gas to send the ether forward.
“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract,” explains the hacker’s announcement. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”
If you hold a multisig contract that was drained, please be patient. We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there. We will be using the donations sent to us from The DAO Rescue to pay for gas.
How Many More Faulty Contracts Will Be Found in the Future?
The news of the vulnerability comes just after the Coindash ICO hack last week which saw the loss of $10M worth of ether. The malicious hacks from that event last week and yesterday’s multi-signature wallet drain has had little effect on the price of ethereum. However, the cryptocurrency community is once again discussing the issue of faulty contracts held within the Ethereum network that currently hold millions of dollars in funds. Close to a quarter of a billion dollars in ether has been drained by either the “black hat exploiters” or the “white hat group” since the notorious DAO debacle last year.
What do you think about the latest multi-signature wallet ethereum hacks? Let us know in the comments below.