Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday July 20 2017, @11:09AM   Printer-friendly
from the oops dept.

Submitted via IRC for Bytram

A vulnerability in Parity's Ethereum wallet software has been exploited by thieves to rob victims on a massive scale.

A few hours ago, Parity told its users to move their ETH holdings from their in-browser wallets to more secure accounts immediately:

The warning came after three transactions appeared on Etherscan.io, in which accounts were drained of 150,000 coins worth just over US$30 million at the current price. It's understood a trivial programming blunder in Parity's code allowed crooks to hijack strangers' wallets at will.

Coindesk reports 377,000 more Ether were at risk of theft, but were drained into holding accounts by white hats. That gallant action was outlined by Kurt Knudsen on Parity's Gitter channel:

The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts. The White Hat account currently holding the rescued funds is [here].

Source: https://www.theregister.co.uk/2017/07/20/us30_million_below_parity_ethereum_bug_leads_to_big_coin_heist/


Original Submission

Related Stories

Robbing the Ethereum Stagecoach 17 comments

Some time ago, I wrote that I had given up on Ethereum. While the problems coming from the DAO hack are now in the past Ethereum has had a few other problems.

Granted, these problems have nothing to do with Ethereum itself. They are all exploits in the surrounding ecosystem. Hacking the CoinDash website to replace their public wallet address was particularly cheeky. This all reminds me of tales of the Wild West, when money was transferred between banks by stagecoach or by train. The technology simply didn't exist to provide the necessary security way the heck out on the prairie.

Seems like that's where we are now. The necessary technology does not exist, to provide the security that currencies like Ethereum and Bitcoin really require. Website hacks are a dime a dozen, and when a hack can be worth $millions... The same for software: When professional programmers still write code vulnerable to SQL injection - when our platforms even allow this as a possibility - then we simply do not have the technology to secure the stagecoach.

Previously:
$30 Million Below Parity: Ethereum Wallet Bug Fingered in Mass Heist
Hacker Allegedly Steals $7.4 Million in Ethereum During ICO
Used GPUs Flood the Market as Ethereum's Price Crashes Below $150
Ethereum Mining Craze Leads to GPU Shortages
Ethereum Unusable, DAO Refunds Possible


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @11:47AM (2 children)

    by Anonymous Coward on Thursday July 20 2017, @11:47AM (#541881)

    BTC will fission in a few weeks, releasing the massive amounts of energy stored in the blockchain.

    • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @01:31PM (1 child)

      by Anonymous Coward on Thursday July 20 2017, @01:31PM (#541898)

      ...and nothing of value will be lost.

      • (Score: 3, Funny) by bob_super on Thursday July 20 2017, @06:14PM

        by bob_super (1357) on Thursday July 20 2017, @06:14PM (#542013)

        Many MegaWatts died to bring us this information.

  • (Score: 4, Interesting) by tonyPick on Thursday July 20 2017, @02:07PM (7 children)

    by tonyPick (1237) on Thursday July 20 2017, @02:07PM (#541910) Homepage Journal

    Where it's worth reading the comments
    https://news.ycombinator.com/item?id=14807779 [ycombinator.com]

    and specifically this:
    https://news.ycombinator.com/item?id=14810008 [ycombinator.com]

    as to the underlying problems with Solidity (the language used to write smart contracts for the Ethereum VM). TLDR - writing secure languages very very is hard. Trying to build one out of Javascript is bordering on the mildly insane...

    And whilst we're calling it a vulnerability and throwing around the word "thieves": If the position of the Ethereum guys is that "the code is the contract", then the guys who drained the accounts were simply better at reading the contract - by definition what the code actually did was what you agreed to, even if you didn't like the outcome...

    • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @02:09PM

      by Anonymous Coward on Thursday July 20 2017, @02:09PM (#541911)

      I avoided the whole ETC thing over the "Turing complete" aspect alone.

    • (Score: 2) by JNCF on Thursday July 20 2017, @04:47PM (4 children)

      by JNCF (4317) on Thursday July 20 2017, @04:47PM (#541974) Journal

      If the position of the Ethereum guys is that "the code is the contract", then

      It's not. The Ethereum folks did a hard-fork of their own blockchain to roll back a prominent "theft" of coins in the past, while Ethereum Classic takes the position that code is law. In Math We Trust? In Mob We Trust? Fork if I know.

      I wonder if any of the other high level Ethereum languages are more reasonable.

      • (Score: 2) by bob_super on Thursday July 20 2017, @06:10PM (2 children)

        by bob_super (1357) on Thursday July 20 2017, @06:10PM (#542011)

        I'd like someone to film themselves explaining to grandma that this is money, and you have to trust the math and disregard volatility. But if something unexpected happens, others might just decide to "fork the blockchain".
        The mattress-with-underpockets business isn't about to die.

        • (Score: 2) by JNCF on Thursday July 20 2017, @06:38PM

          by JNCF (4317) on Thursday July 20 2017, @06:38PM (#542019) Journal

          Note that there is still a blockchain in which the original contract was respected, and that the value of the currency on that blockchain happens to be significantly higher today than it was before the fork. I'm not even convinced that hard-forks are unhealthy, though they do raise questions. The precedent set by a community rolling back transactions certainly leaves a bad taste in my mouth.

          I do get your point. It took us a long time to transition from metal to paper, and some people still haven't. Moving from paper to information won't be easy. I'm really excited by what is happening with blockchains, but I don't think we're ready for mass adoption yet.

        • (Score: 0) by Anonymous Coward on Friday July 21 2017, @01:16AM

          by Anonymous Coward on Friday July 21 2017, @01:16AM (#542129)

          A quick search didn't find any mattresses with money pockets, but you are correct that this is still popular according to this 2015 article,
                http://www.businessinsider.com/americans-hide-money-under-the-mattress-2015-2 [businessinsider.com]

          A new survey of more than 1,800 people from the American Express Spending and Savings Tracker, however, found that 43% of Americans keep their savings in cash. An alarming 53% of those cash-hoarders "plan to hide bills in a secret location at home."

          While the survey itself doesn't explain why, it's reasonable to assume that at least some of these savers feel safer with money where they can see it, as opposed to hidden away in a bank that has played the bad guy since 2008. According to a 2014 Harris Poll, half of Americans say their trust in banks has declined in recent years.

      • (Score: 2) by tonyPick on Friday July 21 2017, @05:40AM

        by tonyPick (1237) on Friday July 21 2017, @05:40AM (#542212) Homepage Journal

        I'd agree that practically this isn't the case, given the whole Ethereum Classic split, but it's worth highlighting that the Ethereum pages still have the claims:

        ...full transparency, complete accountability and complete immunity from any human interference. While the network lives the contracts will execute exactly the code they were created to execute, without any exception, forever.

        (from https://www.ethereum.org/dao) [ethereum.org]

        So it's a claim they're still making, even if the practical position has "unless *we* lose out, in which case all bets are off".

    • (Score: 0) by Anonymous Coward on Thursday July 20 2017, @11:47PM

      by Anonymous Coward on Thursday July 20 2017, @11:47PM (#542107)

      Then they should have picked a better base language, one like Lua. Lua lets you encapsulate the entire environment and present a subset of that to another segment of code. It's often used as the scripting language in video games and works well in preventing modders from accessing the rest of the game or breaking out of the restricted sandbox.

      This was the bug. Basically someone didn't mark a function private, so hackers were able to call it using their user ID and someone else's wallet ID: "The initWallet function should have been marked internal, but was instead not marked. Unmarked functions default to public in Solidity, so anyone can call that function and reinitialize the wallet to be under their control" ~some reddit user

      Clearly no one who knew anything about security designed their system.

(1)