Statement on the Parity multi-sig wallet vulnerability and the Cappasity token crowdsale

A vulnerability in the Parity multi-sig wallet contract was found on November 7. It caused funds held in Parity multi-sig wallets created after July 20 to be temporarily inaccessible. According to crypto eli5, 151 wallets have been frozen, with their balances being 513,743 ETH or $152 million in total. According to Parity Technologies, 573 wallets have been affected and their total balance is unknown.

We would like to note that the Cappasity platform and the content stored there are secure, the functionality of the platform is unaffected and everything functions as usual. The detected vulnerability in no way affected the BTC wallet of our crowdsale, other company’s accounts or our current business activities.

Unfortunately, the ETH wallet of our crowdsale was using the affected Parity multi-sig contract. The wallet is not accessible now and will remain inaccessible until the situation is resolved. The details can be viewed here, our wallet is the ninth in the list.

During our ICO (www.artoken.io), we accept funds via interim wallets and transfer them to the main wallet after the funds transfers are validated. This procedure is necessary to provide additional security. At the moment, we are running the crowdsale in regular mode. However, we have stopped the transfer of funds to the main ETH wallet until further information on the situation is received from Parity Technologies and the situation is resolved.

Currently, our funds for a total of 3264 ETH (~ $1M) are frozen. How could this situation affect the achievement of the planned milestones? The development of the project is financed by angel investors — Cappasity raised more than $1.8M in total. The existing partners of the company could compensate for the frozen funds if it becomes necessary. We have already received a number of smart-money offers from angels and VCs.

Over 10,000 people have already registered on the crowdsale portal and are ready to become participants of the first AR/VR Ecosystem for 3D content exchange. We highly appreciate the trust and support of our community! Your publications and posts about Cappasity and our token help us become bigger and more visible day by day.

We are confident that Parity Technologies and Ethereum Foundation will find a way out of the current situation and projects that use the Parity wallet will not be affected. This is of significant importance to the development of the Ethereum ecosystem and the trust in smart contracts.

****

IMPORTANT: Cappasity token contributors are unaffected by Parity’s bug

To avoid any misunderstanding, we clarify that the incident with the Parity multi-sig wallet contract will not affect the release of Cappasity tokens and everyone will receive their tokens on time, i.e. after November 22.

We are running the crowdsale in regular mode and have been using another ETH wallet since yesterday.

Taking into consideration the latest developments in the current situation, we are waiting for our funds to be unfrozen in the nearest future. The incident in no way affects our commitment to release Cappasity tokens.

The development and implementation of the roadmap have not been affected. Our partners are ready to provide a financial bridge if it becomes necessary. At the moment, this measure is unnecessary.

We will keep you informed of any further developments in the situation with Parity Technologies and the Ethereum Foundation.

*****

The Cappasity Token team’s opinion on the reasons behind the freezing of $152 million:

Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate. On Nov-06–2017, at 04:02:51 PM +UTC, they tried to call execute (address _to, uint256 _value, bytes _data) of Cappasity Token’s smart contract: https://etherscan.io/tx/0xfdca7bf55048d2d53d3851fe988a67cac7e67e9757c3d1aaf294db358c728ea3

The same user (Nov-06–2017 04:01:46 PM + UTC) called execute(..) of Polkadot’s smart contract, its frozen funds account for more than $90 million in total:

https://etherscan.io/tx/0xbf13ed4c9af0e56b066f368f09d102be0d185d309f491a19c84bda0ae95ec9fa

Polkadot wallet https://etherscan.io/address/0x3bfc20f0b9afcace800d73d2191166ff16540258

The day before: the functions changeOwner (address _from, address _to) and kill (address _to) were called.

When you are tracking all their transactions, you realize that they were deliberate:

https://etherscan.io/address/0xae7168deb525862f4fee37d987a971b385b96952

Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking.

We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step.

UPDATE 11/18/2017: New Parity hack shifts the attitude towards Ethereum. Is it necessary to create Ethereum Safe (ETS)? https://blog.artoken.io/new-parity-hack-shifts-the-attitude-towards-ethereum-cfd2e014f1a2

If your Parity wallet has been affected by the hack, contact us at parity@cappasity.com. We will share with you the steps that we are going to take, if Parity Technologies does not give us an answer about the solution for the situation within a reasonable time.