Massive “Hack” Hits Ethereum Parity Clients – More Than $30M Of Ether Still At Large [UPDATED]

UPDATED | July 24, 2017:

The White Hat Group announced that tonight it will begin returning funds rescued during the attack. If you were affected, please follow these instructions on how to re-claim your tokens.


UPDATED | July 20, 2017:

The second alleged attacker reported yesterday has been identified as independent White Hat Oleksii Matiiasevych. He told ETHNews about his decision to come to the community’s aid.


ORIGINAL | July 19, 2017:

At approximately 9:30 a.m. (Pacific Time) on July 19, 2017, a vulnerability in Ethereum clients was discovered that could allow an attacker to drain the funds of users who created “multi-signature” wallets – wallets that require multiple private keys to activate – using Parity client version 1.5 or later (released January 19, 2017). Ethereum Foundation members and Parity developers urge any users who control a multisig wallet created through a Parity node after that date to carefully and immediately move any remaining funds into another wallet that was not created with the exploit. Recommended wallets are those created with MyEtherWallet, a Geth node, or any single-user wallets created on Parity.

A wallet was discovered belonging to a suspected malicious actor who had already exploited the vulnerability and “stole” approximately 153,000 Ether ($30.5 million) from three vulnerable wallets. Within five hours, a “White Hat” hacking group – or hacking collective that aims to discover and operate exploitable vulnerabilities in digital products for benevolent purposes – announced that it had identified the vulnerability and performed the exploit on other susceptible wallets, draining approximately 377,000 Ether ($75 million) into its own wallet. The group intends to return the funds to affected wallet holders. At the time of this writing, the White Hat Group also contained $80 million worth of other Ethereum-based tokens, though it is not clear if or how much of this total is related to this operation.

According to a tweet by Project Lead Manuel Aráoz of OpenZeppelin, the affected wallets belonged to Ethereum projects Swarm City, Æternity Blockchain, and Edgeless Casino. Project Blocktix.io also reported that it was victim of what appears to be a second attacker utilizing the same exploit. If you notice funds are missing, you can check if your funds were claimed by the White Hat wallet (listed below) to ensure they are safe. If your wallet was attacked, please monitor r/ethereum for an announcement on how to reclaim your funds.

White Hat Group’s Wallet: 0x1DBA1131000664b884A1Ba238464159892252D3a
First Alleged Attacker’s Wallet: 0xB3764761E297D6f121e79C32A65829Cd1dDb4D32
Second Alleged Attacker’s Wallet: 0x1Ff21eCa1c3ba96ed53783aB9C92FfbF77862584

The flaw was apparently caused by a bug in the affected Parity clients’ code that allowed for an affected wallet’s initialization function to be recalled after it was created. This would effectively allow for an attacker to call that code after the fact and claim that they own the wallet themselves, empowering them to send the funds to another address. One member of the Ethereum community called the exploit “the most obvious bug in the history of ethereum,” with others amazed that the vulnerability went undiscovered for over six months. At approximately 1:30 p.m. Pacific Time, Parity founder Gavin Wood committed a fix to the Parity GitHub that he believes should alleviate the vulnerability.

For now, it is not clear who the malicious attacker is or whether the remaining victims will ever recover their funds. According to EtherScan, the malicious wallet is already dispersing its loot among other Ethereum wallets, possibly in an attempt to obfuscate its activities. But for now, it seems that so long as users follow the above instructions to verify and secure their wallets, they can continue to operate with normal security precautions in the Ethereum ecosystem.