Stories
Slash Boxes
Comments

SoylentNews is people

$30 Million Below Parity: Ethereum Wallet Bug Fingered in Mass Heist

posted by Fnord666 on Thursday July 20 2017, @11:09AM   Printer-friendly
from the oops dept.

MrPlow writes:

Submitted via IRC for Bytram

A vulnerability in Parity's Ethereum wallet software has been exploited by thieves to rob victims on a massive scale.

A few hours ago, Parity told its users to move their ETH holdings from their in-browser wallets to more secure accounts immediately:

The warning came after three transactions appeared on Etherscan.io, in which accounts were drained of 150,000 coins worth just over US$30 million at the current price. It's understood a trivial programming blunder in Parity's code allowed crooks to hijack strangers' wallets at will.

Coindesk reports 377,000 more Ether were at risk of theft, but were drained into holding accounts by white hats. That gallant action was outlined by Kurt Knudsen on Parity's Gitter channel:

The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts. The White Hat account currently holding the rescued funds is [here].

Source: https://www.theregister.co.uk/2017/07/20/us30_million_below_parity_ethereum_bug_leads_to_big_coin_heist/

Original Submission

 
This discussion has been archived. No new comments can be posted.
$30 Million Below Parity: Ethereum Wallet Bug Fingered in Mass Heist | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by tonyPick on Thursday July 20 2017, @02:07PM (7 children)

    by tonyPick (1237) on Thursday July 20 2017, @02:07PM (#541910) Homepage Journal

    Where it's worth reading the comments
    https://news.ycombinator.com/item?id=14807779 [ycombinator.com]

    and specifically this:
    https://news.ycombinator.com/item?id=14810008 [ycombinator.com]

    as to the underlying problems with Solidity (the language used to write smart contracts for the Ethereum VM). TLDR - writing secure languages very very is hard. Trying to build one out of Javascript is bordering on the mildly insane...

    And whilst we're calling it a vulnerability and throwing around the word "thieves": If the position of the Ethereum guys is that "the code is the contract", then the guys who drained the accounts were simply better at reading the contract - by definition what the code actually did was what you agreed to, even if you didn't like the outcome...

    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Underrated=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @02:09PM

    by Anonymous Coward on Thursday July 20 2017, @02:09PM (#541911)

    I avoided the whole ETC thing over the "Turing complete" aspect alone.

  • (Score: 2) by JNCF on Thursday July 20 2017, @04:47PM (4 children)

    by JNCF (4317) on Thursday July 20 2017, @04:47PM (#541974) Journal

    If the position of the Ethereum guys is that "the code is the contract", then

    It's not. The Ethereum folks did a hard-fork of their own blockchain to roll back a prominent "theft" of coins in the past, while Ethereum Classic takes the position that code is law. In Math We Trust? In Mob We Trust? Fork if I know.

    I wonder if any of the other high level Ethereum languages are more reasonable.

    • (Score: 2) by bob_super on Thursday July 20 2017, @06:10PM (2 children)

      by bob_super (1357) on Thursday July 20 2017, @06:10PM (#542011)

      I'd like someone to film themselves explaining to grandma that this is money, and you have to trust the math and disregard volatility. But if something unexpected happens, others might just decide to "fork the blockchain".
      The mattress-with-underpockets business isn't about to die.

      • (Score: 2) by JNCF on Thursday July 20 2017, @06:38PM

        by JNCF (4317) on Thursday July 20 2017, @06:38PM (#542019) Journal

        Note that there is still a blockchain in which the original contract was respected, and that the value of the currency on that blockchain happens to be significantly higher today than it was before the fork. I'm not even convinced that hard-forks are unhealthy, though they do raise questions. The precedent set by a community rolling back transactions certainly leaves a bad taste in my mouth.

        I do get your point. It took us a long time to transition from metal to paper, and some people still haven't. Moving from paper to information won't be easy. I'm really excited by what is happening with blockchains, but I don't think we're ready for mass adoption yet.

      • (Score: 0) by Anonymous Coward on Friday July 21 2017, @01:16AM

        by Anonymous Coward on Friday July 21 2017, @01:16AM (#542129)

        A quick search didn't find any mattresses with money pockets, but you are correct that this is still popular according to this 2015 article,
              http://www.businessinsider.com/americans-hide-money-under-the-mattress-2015-2 [businessinsider.com]

        A new survey of more than 1,800 people from the American Express Spending and Savings Tracker, however, found that 43% of Americans keep their savings in cash. An alarming 53% of those cash-hoarders "plan to hide bills in a secret location at home."

        While the survey itself doesn't explain why, it's reasonable to assume that at least some of these savers feel safer with money where they can see it, as opposed to hidden away in a bank that has played the bad guy since 2008. According to a 2014 Harris Poll, half of Americans say their trust in banks has declined in recent years.

    • (Score: 2) by tonyPick on Friday July 21 2017, @05:40AM

      by tonyPick (1237) on Friday July 21 2017, @05:40AM (#542212) Homepage Journal

      I'd agree that practically this isn't the case, given the whole Ethereum Classic split, but it's worth highlighting that the Ethereum pages still have the claims:

      ...full transparency, complete accountability and complete immunity from any human interference. While the network lives the contracts will execute exactly the code they were created to execute, without any exception, forever.

      (from https://www.ethereum.org/dao) [ethereum.org]

      So it's a claim they're still making, even if the practical position has "unless *we* lose out, in which case all bets are off".

  • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @11:47PM

    by Anonymous Coward on Thursday July 20 2017, @11:47PM (#542107)

    Then they should have picked a better base language, one like Lua. Lua lets you encapsulate the entire environment and present a subset of that to another segment of code. It's often used as the scripting language in video games and works well in preventing modders from accessing the rest of the game or breaking out of the restricted sandbox.

    This was the bug. Basically someone didn't mark a function private, so hackers were able to call it using their user ID and someone else's wallet ID: "The initWallet function should have been marked internal, but was instead not marked. Unmarked functions default to public in Solidity, so anyone can call that function and reinitialize the wallet to be under their control" ~some reddit user

    Clearly no one who knew anything about security designed their system.