Dissecting the two malicious Ethereum messages that cost $30M (but could’ve cost $100M)

Raúl Kripalani
Jul 22, 2017 · 3 min read

The Black Hat group managed to exploit three wallets, before the White Hat group intervened and swept up all other affected wallets.

A basic principle of Blockchains is that all actions are traceable. So, can we drill into the blockchain and inspect the messages sent by the attacker? The answer is YES, we can.

(To understand the attack itself, the timeline and who Parity is, read my previous post: Postmortem analysis of the hack [in 500 words].)

The havoc was wreaked by two simple messages, sent in sequence:

  • initWallet => resets the wallet’s owner address.
  • execute => it executes the ETH transfer, thus stealing the funds.

The illustrations belong to the aeternity wallet, but the other attacks (including the White Hat’s) rely on the same logic.

The initWallet message

The initWallet function was only supposed to be invoked at wallet initialisation (read more in my previous post). It sets the address of the owner of the wallet, thus giving it full control over its assets.

But it was wrongly made publicly visible, hence allowing calls from the outside at any time. That’s the vulnerability the attacker used.

Explanation: the message wraps a function call to initWallet passing in the hacker’s ETH address as the new owner.

Notice how the address passed in as an argument matches the address from where the message originates, i.e. the Black Hat.

This call only cost the attacker 66839 Gwei, i.e. $0.31.

At the moment I took the snapshot, the block that includes this transaction had over 10,000 confirmations.

So it’s pretty irreversible and it gets harder and harder to reverse every ~18–20 seconds (ETH average block mining time), even if a hard fork is organised.

EDIT: As Nick Johnson pointed on Reddit, a hard fork could return the funds without requiring a full reversal of the subsequent chain, albeit being impractical and highly complex due to the fact that funds have been moved further, contracts have committed suicide, etc.

The execute message

Now that the attacker has appointed himself as the new owner of the aeternity wallet, they can use their private key to sign an outgoing transfer for the balance of the account (82,189 ETH).

Explanation: as you can see, this message wraps a call to the execute function, passing in its own address as the beneficiary and the amount to transfer (82,189 ETH).

The call data is encoded in hex. The amount is expressed in Wei, once converted to decimal it matches the internal transfer that the contract ended up making, as you can see.

The attacker paid the equivalent to $0.28 for transferring an amount equivalent to $18M (as per today’s ETH price).

Note: The attacker could have chosen any other address that they controlled to send the funds to, but they chose the same address designated as the new owner.

The White Hat intervention

These two messages are the same messages the White Hat group employed to acquire control of all other affected wallets — as I explained in my previous article: Postmortem analysis of the hack [in 500 words].

Always in groups of two:

If you enjoyed this article, please recommend it on Medium (heart it!), and share it on Twitter, LinkedIn, etc.

I’m also open to opportunities in the Blockchain space; find me on LinkedIn.

Feel free to follow me on Twitter for more stuff like this: https://twitter.com/raulvk.

Raúl Kripalani

Written by

🎈 Engineer @ Protocol Labs, working on libp2p. Previously: ConsenSys, Red Hat, FuseSource, Atos, freelance. From Tenerife, Canary Islands, Spain.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade