#TreatCodeLikeContracts: On exploiting Ethereum’s Fort Knox and audits

Author: Dr. Sebastian Bürgel, CTO, Validity Labs

And there it was again, another one of those shocking adrenaline rushes when refreshing Twitter just before dozing off:

At first sight, this seemed like a new version of those currently ongoing MyEtherWallet scams that are much like the “I am your bank, send me all your money” scams from the early 2000s. Just that this one was different. Not only was it retweeted by Gav himself and visible across all media channels, but also it was real. So what on earth was going on this time? (Just in case you just joined the wild ride of Ethereum recently, quite exactly one year ago, another smart contract lost USD 50 million and the aftermath was quite impressively messy.)

The first problems seem to have been noticed by Swarm City at around 6:30 pm on Jul 20, 2017. Their entire multi-signature wallet had been emptied! The “Ethereum competitor” Aeternity and the Edgeless Casino were the only known other two targets. Total losses amount to ETH 153,017 and are currently being held by the attacker at address 0xb3764761e297d6f121e79c32a65829cd1ddb4d32

Inspecting the transaction history of this account reveals that the first attack had already happened a day earlier and it took the attacker a good 13 hours to find the other two victim contracts. Actually finding other contracts would have been quite easy: The Etherscan blockchain explorer reveals 569 identical copies of this contract — all of them with zero balance by now.

Luckily, for all other projects, the ominous White Hat Group that was previously tasked to fix TheDAO’s exploit, was rapidly deployed. Their account was used to drain all other exposed contracts and currently holds ETH 377,110 as well as various tokens amounting to USD 80 million.

Multi-signature wallets are regarded best practice as they do not expose funds to a single private key that might be compromised or be lost. Instead, multiple parties are required to sign a transaction with their corresponding private keys in order to move funds.

Such a multi-signature wallet was at the core of the current exploit. Dr. Gavin Wood, co-founder of Ethereum and founder of the Ethereum technology development company Parity had created a popular wallet that was used in many projects and generally regarded as secure. Multiple projects were using his multi-signature wallet in order to comply with best practices that are admittedly still under heavy development.

A crucial “enhanced” version of this wallet came out in early 2017. This particular version introduced a critical security issue in the following function —

(see if you can spot it)

function initWallet(address[] _owners, uint _required, uint _daylimit) {
    initDaylimit(_daylimit);
    initMultiowned(_owners, _required);
}

This function initializes the wallet with the addresses that have signature rights and specifies the number of required signers as well as a daily spending limit. There are two important issues with this function:

1. The function is not marked as internal, so it can be called not just from inside the wallet contract itself but also from external accounts.
2. The function does not check if it has already been initialized, so it allows for overwriting the already set owners!

Within few hours, the White Hat Group announced that the secured funds would not only be reimbursed, but also that they would actually deploy the fixed versions of the multi-signature wallet that has been developed in the meantime. The funds would then be retrievable from the new address in the same fashion as from the previous version of the wallet — minus the exploit.

Here it is worth noting that smart contracts relying on the (most likely non-upgradable!) address will lose access to the wallet. To the best of our knowledge, no such case is known yet but Validity Labs is ready to support you in assessing the situation and mitigating.

While there was a wealth of lessons-learned from the notable TheDAO’s hack, it seems that this time the take-home message is rather simple: Audit any code that is directly handling large assets. You would probably assess a multi-million-dollar termsheet by multiple lawyers. For smart contracts, the rules should be no different: Consult specialists to do in-depth code review and security audits.

The bottom line of TheDAO was that #CodeIsLaw is not such a good idea. This time it seems that we learned to #TreatCodeLikeContracts.

Find out more about our blockchain courses, consulting, development and audit work at https://validitylabs.org/