Submitted via IRC for Bytram
A vulnerability in Parity's Ethereum wallet software has been exploited by thieves to rob victims on a massive scale.
A few hours ago, Parity told its users to move their ETH holdings from their in-browser wallets to more secure accounts immediately:
The warning came after three transactions appeared on Etherscan.io, in which accounts were drained of 150,000 coins worth just over US$30 million at the current price. It's understood a trivial programming blunder in Parity's code allowed crooks to hijack strangers' wallets at will.
Coindesk reports 377,000 more Ether were at risk of theft, but were drained into holding accounts by white hats. That gallant action was outlined by Kurt Knudsen on Parity's Gitter channel:
The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts. The White Hat account currently holding the rescued funds is [here].
(Score: 0) by Anonymous Coward on Thursday July 20 2017, @11:47PM
Then they should have picked a better base language, one like Lua. Lua lets you encapsulate the entire environment and present a subset of that to another segment of code. It's often used as the scripting language in video games and works well in preventing modders from accessing the rest of the game or breaking out of the restricted sandbox.
This was the bug. Basically someone didn't mark a function private, so hackers were able to call it using their user ID and someone else's wallet ID: "The initWallet function should have been marked internal, but was instead not marked. Unmarked functions default to public in Solidity, so anyone can call that function and reinitialize the wallet to be under their control" ~some reddit user
Clearly no one who knew anything about security designed their system.