A hacker has stolen more than US $30 million worth of Ethereum cryptocurrency tokens by abusing a vulnerability affecting a wallet client.
The attack occurred between 19:00-20:00 UTC on 19 July. Parity, a company founded by Ethereum creator Gavin Wood, detected the hack shortly thereafter. It subsequently released a security advisory warning of a "critical" vulnerability affecting versions 1.5 and later of its wallet.
According to Parity's warning, the flaw specifically plagued a wallet variant of the company's standard multi-sig contract. Multi-sig ("multiple-signature") wallets are accounts for Ethereum, a blockchain-based distributed computing platform, that operate under the control of multiple users with their own keys. Users can move funds out of a multi-sig wallet only if a majority of the wallet's owners sign transactions with their keys.
The party responsible for the hack exploited the flaw in vulnerable Parity wallets to move more than 150,000 Ether (then worth close to US $32 million) to an address under their control. The amount contained in the attacker-operated Ethereum wallet has since declined to just over 83,000 Ether, or about US $9 million.
It's unclear how many wallets from which the hacker stole. At least three victims have come forward so far. The first, a peer-to-peer sharing economy known as Swarm City, lost 44,055 Ether in the hack. As quoted in a press release:
"At approximately 12:30 PM ET Bernd Lapp, Business Hive leader noticed that the entire contents of the Swarm City ETH multisig wallet had been drained. Bernd checked the receiving address and noticed a few very large transactions had hit the same wallet. We alerted the Ethereum Foundation and multiple developer groups immediately."
Swarm City went on to say the attacker also stole from two similar projects, Edgeless Casino and Aeternity.
After Parity discovered the attack, individuals calling themselves "The White Hat Group" also exploited the bug to drain more than 377,000 Ether (close to US $80 million) from vulnerable wallets and move the funds to a secure address. This group, which is reportedly composed of security researchers associated with Ethereum, claims to have made this move out of benign intentions. As it states in a message to affected Ethereum users:
"White Hat Group(s) were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts...
"If you hold a multisig contract that was drained, please be patient. They will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and will return your funds to you there."
Users with vulnerable Parity multi-sig wallets should move their assets to a secure address if they haven't already. They should also be wary of phishers who might try to trick users into revealing their wallet addresses. In the meantime, Parity is working on a fix and has already ensured that future multi-sig wallets are protected against the vulnerability.
News of this hack comes just a few days after attackers stole US $7 million from unsuspecting Ethereum investors by hacking CoinDash's website and redirecting investors to an address under their control.