More Than $100M Drained in Multisig Hack as White Hats Ride in
This post went out earlier today for subscribers to our investor newsletter covering novel crypto assets. Sign up for the next issue, here.
At least 153,000 ETH (32 million USD) is reported missing from multi-signature wallets provided by Parity Technologies, a London- and Berlin-based blockchain technology company, Wednesday. A vulnerability reportedly allowed a hacker to siphon ether away from addresses that held funds using the wallet.
After the reported theft, another group of hackers removed over 377,000 ETH (77 million USD) in what they say is a white-hat effort to protect funds exposed in vulnerable wallets.
Parity confirmed the vulnerability in a short blog post, and advised users to transfer funds out of its wallets. Multi-signature, or multisig, wallets like Parity’s require more than one key to authorize blockchain transactions and are used to collaborate on cryptocurrency and blockchain projects.
The Parity hack appears to be the second largest heist of the digital currency Ethereum, topped only by the 2016 hack into The DAO, which exposed 50 million USD worth of contributors’ coin.
Peter Vessenes, managing director of New Alchemy, a blockchain technology company, pointed to a vulnerability in Parity’s multisig wallet, now patched, that allowed any user to go in and reset a wallet’s owners. (Disclosure: Vessenes is the lead investor in Token Report.)
Blockchain developer Santiago Palladino, of Zeppelin, a smart contract platform technology provider, went further in a later post, explaining in detail how hackers were able to reset ownership. Palladino explained that the opening lay inside a function Parity put in place to allow extraction of all the wallet’s constructor logic into a separate library. Instead, Parity should have specified exactly which functions could be thus extracted. Ideally, the function to change the account owners would not have been on the list.
Ethereum was down nearly 15 percent against the US Dollar in the past 24 hours today, according to Cryptocompare, though its biggest dip in price took place before news of the vulnerability was made public.
It is the second multi-million-dollar hack to hit an Ethereum-based project this week. On Monday, a hacker misdirected 7 million USD worth of funds contributed during the token sale of a project called CoinDash. The hacker reportedly was able to take over CoinDash’s website and post a fraudulent Ethereum address there.
Blockchain developer Manuel Aráoz, chief technology officer at Zeppelin, spotted the fund transfers and began researching the vulnerability and looking up victims in a series of tweets.
According to Aráoz, Edgeless Casino, Swarm City and Aeternity Blockchain were affected.
Aráoz promised a forthcoming blog post explaining the how the vulnerability worked that made the reported hack possible. He posted that OpenZeppelin’s multi-signature wallet implementation was not affected by the hack.
Crypto forum users cautioned one another to look out for follow-on fraud, in which scammers may try to take advantage of the situation by impersonating the Parity team or otherwise offering fraudulent addresses and asking for users’ private keys.
This post will be updated as we learn more.
Thanks for reading our newsletter. Reply to tell us what you think. Then forward this to your allies and tell them to sign up.
Token Report is an independent financial information service founded by Galen Moore and Peter Vessenes. Galen is a financial journalist with a background in startups, venture capital and launching news sites. Peter is a co-founder of the Bitcoin Foundation, and launched the first VC-backed Bitcoin company in 2011. He is managing director at New Alchemy, a boutique consulting and investment group based in Seattle, Wash., that is making a pre-seed investment in Token Report.
Nothing contained in Token Report materials or posted at tokenreport.com constitutes an offer or a solicitation of an offer to buy or sell a security, financial instrument, or other category of asset, or investment advice or recommendation of a security, financial instrument or other category of asset. Tokens involve risk and are not suitable assets for everyone. Token Report believes its information was obtained from reliable sources but does not guarantee its accuracy or completeness and accepts no liability for losses arising from the publishing of this information. The information provided by Token Report is not a substitute for financial, legal and other professional advice. Each individual should always consult his or her own financial, legal or other professional advisors and discuss the facts and circumstances that apply to the individual.
