Hacker steals $30M worth of Ethereum by abusing Parity wallet flaw

Not the first Ethereum heist we’ve seen…THIS WEEK!

Hacker steals $30M worth of Ethereum by abusing Parity wallet flaw

A hacker has stolen more than US $30 million worth of Ethereum cryptocurrency tokens by abusing a vulnerability affecting a wallet client.

The attack occurred between 19:00-20:00 UTC on 19 July. Parity, a company founded by Ethereum creator Gavin Wood, detected the hack shortly thereafter. It subsequently released a security advisory warning of a "critical" vulnerability affecting versions 1.5 and later of its wallet.

According to Parity's warning, the flaw specifically plagued a wallet variant of the company's standard multi-sig contract. Multi-sig ("multiple-signature") wallets are accounts for Ethereum, a blockchain-based distributed computing platform, that operate under the control of multiple users with their own keys. Users can move funds out of a multi-sig wallet only if a majority of the wallet's owners sign transactions with their keys.

The party responsible for the hack exploited the flaw in vulnerable Parity wallets to move more than 150,000 Ether (then worth close to US $32 million) to an address under their control. The amount contained in the attacker-operated Ethereum wallet has since declined to just over 83,000 Ether, or about US $9 million.

Screen shot of attacker-operated Ethereum wallet

Screen shot of attacker-operated Ethereum wallet

It's unclear how many wallets from which the hacker stole. At least three victims have come forward so far. The first, a peer-to-peer sharing economy known as Swarm City, lost 44,055 Ether in the hack. As quoted in a press release:

"At approximately 12:30 PM ET Bernd Lapp, Business Hive leader noticed that the entire contents of the Swarm City ETH multisig wallet had been drained. Bernd checked the receiving address and noticed a few very large transactions had hit the same wallet. We alerted the Ethereum Foundation and multiple developer groups immediately."

Swarm City went on to say the attacker also stole from two similar projects, Edgeless Casino and Aeternity.

After Parity discovered the attack, individuals calling themselves "The White Hat Group" also exploited the bug to drain more than 377,000 Ether (close to US $80 million) from vulnerable wallets and move the funds to a secure address. This group, which is reportedly composed of security researchers associated with Ethereum, claims to have made this move out of benign intentions. As it states in a message to affected Ethereum users:

"White Hat Group(s) were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts...

"If you hold a multisig contract that was drained, please be patient. They will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and will return your funds to you there."

Screen shot of White Hat Group-operated Ethereum wallet, taken at 19-07-2017 11:10 GMT.

Users with vulnerable Parity multi-sig wallets should move their assets to a secure address if they haven't already. They should also be wary of phishers who might try to trick users into revealing their wallet addresses. In the meantime, Parity is working on a fix and has already ensured that future multi-sig wallets are protected against the vulnerability.

News of this hack comes just a few days after attackers stole US $7 million from unsuspecting Ethereum investors by hacking CoinDash's website and redirecting investors to an address under their control.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

3 Responses

  1. Dave

    July 21, 2017 at 4:32 pm #

    You should probably be warning of all cryptocoins potentially being a ponzi scheme. You're far better off buying real silver and gold coins, people.

    • AJC in reply to Dave.

      July 21, 2017 at 5:27 pm #

      To be absolutely certain you had better insist on physical delivery of those coins.

  2. Abubakar Tokarawa

    July 22, 2017 at 5:04 pm #

    I think people would now have their hand off to this business. And i do see this kind of hacking as a way of raising concern among Digital Currency guys.

Leave a Reply