At around 11:00 p.m. Eastern European time on July 19, 2017, Oleksii Matiiasevych was winding up a long day, working on some lingering tasks for his Ukrainian blockchain groups. Specifically, Matiiasevych – who is the executable distributed code contract (EDCC) architect at Ambisafe and advisor to Polybius Bank – was distributing some remaining balances according to the bounty program that his companies provide. He had just sent out the last bounty when a slack message came in from a co-worker that linked to a single Tweet from Manuel Aráoz of OpenZepplin:
Someone stole ~$32M (~153k ether) from three multisig wallets. More info and blog post coming soon.
— Manuel Aráoz (@maraoz) July 19, 2017
Like every curious Etherean, Matiiasevych immediately located the hacked addresses on the Ethereum blockchain. Comparing the affected contracts, it took Matiiasevych all of four minutes to discover the flaw – a bug in the widely used Parity client's multi-sig wallets that some have called "the most obvious bug in the history of Ethereum" – and recognize how an attacker could exploit it to transmit funds from those wallets to their own. He quickly searched for other addresses built on the faulty Parity code, only to discover they had already been drained as well.
The news was quickly saturating the ecosystem. In a community of developers, it was likely that others could discover the same vulnerability once they were tipped off on where to look. At the time, whether the party draining these wallets was the same attacker or another party running the same ploy was unclear, but someone had apparently beat Matiiasevych to all the wallets. Well, almost.
"After several refreshes of the page," Matiiasevych told ETHNews, "I found some [wallets] that still held thousands of Ether. I made a quick script to pull out from one of them and then I pulled out [Ether] from some others manually." While he watched the funds flow from the vulnerable wallets into his own, chatter flooded every communication channel as the ecosystem came to accept that Ethereum was under the largest attack against its core infrastructure in its short history.
Unlike the DAO event which involved community members choosing to place their personal wealth into a knowingly risky and untested idea, the vector of this attack was a vulnerability in the wallets themselves. This pillar of the technology that has gone without a security vulnerability for so long that users virtually take it for granted. But like the DAO, a team of Ethereum insiders worked in secrecy to stop the attacker and rescue their Etherean brethren. The "White Hat Group" – a loosely organized team of skilled Ethereum developers and security experts – had leaped into action, saving the funds of many of the wallets Matiiasevych initially discovered were already drained. The White Hat Group's collective wallet accumulated over $150 million worth of Ether and other tokens in their attempt. But even with that impressive bounty, they had still missed a few.
Matiiasevych's total loot amounted to $1,402,996.09 – just a speck compared to the recovered funds collected by the White Hat Group – but a sizeable amount that could have allowed him to live comfortably in Ukraine for at least several years. More importantly, it would have meant a lot to the fledgling ticket distribution project Blocktix, which announced yesterday that it had lost 3,916 Ether to the attack, representing roughly 40 percent of the funds raised in its ongoing token offering. When Blocktix discovered the funds were missing and were not rescued by the White Hat Group, the team embraced the apparent reality, stating on its blog "we have to consider the funds lost." Considering the team is only aiming to raise $7,700,000 and is still fairly short of that goal, a malicious actor running off with those funds, overlooked by Ethereum's first line of defense, could have been the death of the young project.
But fortunately, Matiiasevych is not that kind of hacker. He promptly contacted the White Hat Group, notifying them that he had rescued funds from several wallets beyond their search that he would like to return to their rightful owners.
As for the hacker, Matiiasevych pondered their strange behavior of only stealing approximately $30 million when he could have gotten away with a lot more. "I think he learned from the DAO hack … he stole a big amount for a single person but not enough for the entire Ethereum market cap. 10 percent of all Ether volume was stolen [in the DAO hack] while here it is like 0.1 percent. So, there won't be any hardforks. I think he didn't try to steal everything because he knew it would end badly for him."
Matiiasevych's willingness to do what is right and his initiative to utilize his skills to help his fellow blockchain projects likely reflect the general feeling of many developers in the community. "I am pretty happy with the actions of the community," Matiiasevych explained. Perhaps unsurprisingly, he had not even considered accepting donations. "I really didn't think about it," he laughed to ETHNews.
On July 21, 2017, some technical aspects of this article were updated for accuracy.