Not again: Hackers steal $32 million worth of Ethereum
Ethereum has become a top target for hackers.
The promising cryptocurrency that’s also a platform for decentralized applications has skyrocketed in value over the last six months (though it also had a serious drop in price in the last couple of weeks). But hacker attacks and theft of ether have become commonplace, and the last one is one of the worst so far.
An unknown hacker or a group of hackers exploited a vulnerability in the way in which Parity, an Ethereum wallet, implemented multi-sig wallets, stealing some 153,000 worth of ether, which was valued around $32 million at the time of theft.
According to a security alert on the Parity blog dated July 19, the vulnerability has been fixed, but "any user with assets in a multi-sig wallet created in Parity Wallet prior to 19/07/17 23:14:56 CEST," was vulnerable to ether theft.
The theft has indeed happened and it can be seen on Ethereum’s blockchain here. According to a post by the CEO of decentralized commerce platform Swarm City, Matthew Carano, the funds held by the company in a multi-sig wallet were completely drained on July 19, and additional funds were stolen from other companies including Edgeless Casino and Aeternity.
A multi-sig wallet is a wallet that requires more than one signature for an action to be performed on its contents. Users that had regular wallets on Parity were not in danger (incidentally, the author of this text has until recently held some ether in a Parity wallet, but not a multi-sig one).
IMPORTANT: SECURITY ALERT: https://t.co/h5vc0KwAxS Move funds in multi-sig wallet created in Parity Wallet 1.5 or higher immediately.
— Parity Technologies (@ParityTech) July 19, 2017
What makes this theft particularly troublesome is that Parity is one of the most trusted wallets in the business. The company was founded by Gavin Wood, who is also a co-founder of Ethereum and has written the initial implementation of Ethereum back in 2014. Furthermore, it appears that no amount of caution on the users’ side could’ve prevented the theft.
If the creator of Solidity, Gavin Wood, cannot write a secure multisig wallet in Solidity, pretty much confirms Ethereum is hacker paradise. https://t.co/WAR3eltfWl
— Charlie Lee (@SatoshiLite) July 19, 2017
According to CyberScoop, a group of white hat hackers saved Parity users from further damage by exploiting the vulnerability (which was apparently "trivial" to exploit) and draining all of the remaining multi-sig wallets on Parity, a total of 377,000 ETH worth more than $75 million. Those transactions can be seen here. The group has promised to return the funds to their owners once the vulnerability is fixed.
#Ethereum security model: good guys hack your smart contract faster than bad guys
— Federico Tenga (@FedericoTenga) July 20, 2017
This isn’t even the first ether theft this week. On Tuesday, an initial coin offering (ICO) of an Ethereum-based startup called CoinDash went south as hackers managed to change the wallet address on the project’s web page, siphoning away more than $10 million worth of ether.
And in June 2016, hackers exploited a vulnerability in the code of DAO, another Ethereum-based project, stealing some 3.6 million ether, which today would be worth a whopping $742 million. To repair the damage, Ethereum’s management decided to create a hard fork in the software, undoing the theft but also splitting Ethereum into two separate cryptocoins: Ethereum and (today far less valuable) Ethereum Classic.