News broke yesterday of a massive breach of the Ethereum system, allowing hackers to steal more than 83,000 ETH (~$18 mln) from three major multisig wallets and deposit them into a single wallet.
As previously reported by Cointelegraph, the breach was stopped by an alert white hat hacker group who immediately drained a substantial number of other vulnerable wallets, protecting over $85 million worth of ETH.
Multisig Vulnerability
The hacker exploited a little known flaw in the Parity software suite affecting the multisig wallet contract.
The hacker was able to send two transactions to each of the contracts and drain the entire contents.
The first transaction, called an initWallet, was used to cause all public functions from the library to be callable by anyone using delegatecall, including initWallet, which then allowed the hacker to change the owner of the contract.
The hackers then made their address the only owner, and required only one confirmation to execute any transaction. Finally, they were able to simply send a transaction to a wallet owned exclusively by them, and drain the entire contents of the wallet.
The hack could have been prevented simply by not using the ‘delegatecall' function to allow for all library functions to be invoked externally on the wallet.
Impacts
The three drained wallets belonged to Edgeless Casino, æternity and Swarm City. All three have issued press releases stating the impact of the hack.
Edgeless Casino has confirmed the loss of 26 793 ETH ($5.6 million) which are in the hands of the hacker. However, Edgeless did seek to put the concerns of users and investors to rest by explaining their diversification policy after the ICO. The platform launch will occur as promised in Q3 of this year, though, as a protective measure, players will be forced to purchase EDG tokens in order to pay rather than being allowed to play with ETH directly.
æternity also issued a press release, detailing their specific losses (82K ETH) and also assuring investors that the project launch will continue according to plan. The company also employed a wide diversification strategy with BTC and other wallets in order to protect the necessary funds for business operations. An update on the site, however, stated:
“Together with æternity’s lawyer, we have contacted the Liechtenstein police authorities and filed charges. The police will forward the matter to Interpol.”
Swarm City stated that they had also suffered a loss totally 44,055 ETH. The company did not address other funds available for project launch, though they did reaffirm their commitment to developing Swarm City, stating:
The Swarm City Core team is more committed than ever to the development of Swarm City. The real value of our token lies in the community, and the technology the developers are creating. Black hat hackers, vulnerabilities, and bugs will not stop us from creating the decentralized sharing economy our community and the world craves.
The three companies are jointly considering what action to take against Gavin Woods, the developer behind the effected wallets.
Warning Shot
The massive hack is being seen by many as a warning shot. The complexity of the Ethereum system, while perhaps its greatest benefit, also presents massive risks to the funds of users. According to Santiago Palladino at Zeppelin solutions:
“This attack, however, makes clear that a set of best practices and standards is needed in the Ethereum ecosystem to ensure that these coding patterns are implemented effectively and securely. Otherwise, the most innocent-looking bug can have disastrous consequences.”
The Ethereal community will need to create new ways to prevent such breaches and protect their user base if they are to continue gaining support among cryptocurrency groups. This most recent breach calls into question the opinion of many that Ethereum will overtake Bitcoin as the vehicle of choice.