Ethereum Parity Bug Destroys Over $250 Million In Tokens

Outsmart Malicious Hackers


If you are into cryptocurrency or blockchain at all, you will have heard about the Ethereum Parity Bug that has basically thrown $280 Million value or more of Ethereum tokens in the bin.

Ethereum Parity Bug Destroys Over $250 Million In Tokens


It’s a bit of a mess really, and a mistake by the developers who introduced it after fixing another bug back in July to do with multisig wallets (wallets which multiple people have to agree to transactions).

You can see the thread on Github here: anyone can kill your contract #6995

There’s a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity’s wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.

Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user calling themselves devops199 had “accidentally” triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods’ own savings.

Multi-signature wallets mean more than one person has to sign off on a transaction before funds are moved, and are popular with companies and investment groups looking to protect their assets. Unfortunately, Parity’s technology is seriously flawed: in July a hacker managed to exploit errors in the multi-signature code to steal about $30m in Ethereum.

In response to that cockup, rity updated its wallet software to address the vulnerability, and rolled out a new version. However, that update contained another disastrous bug, one that would lock people out of their wallets. It was set off by devops199 on Monday, affecting anyone who had installed the new code since its release.


So far it seems this Ethereum Parity Bug has affected 573 wallets, which is quite a lot – shown on the tool to check if you were affected:

Parity MultiSig Freeze Tool

This includes the loss of $90 Million or so owned by the Parity wallet owner and Etherum core developer Gavin Woods.

“That code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function,” Parity’s advisory stated.

“It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

In a series of posts on GitHub, devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update.

A full list of 70-odd affected wallets has been uploaded to Pastebin.

Parity has confirmed the above sequence of events leading to this week’s catastrophe with The Register. So far there’s no response on whether it will be possible to unlock the wallets, or if there are any plans to recover punters’ digital dosh. We’ll post more information when it becomes available.

That’s a lot of money that just went in the bin and I’d guess a whole bunch of angry people just went from being millionaires to nothing. I hope those with a lot of coins, who suffered a loss, didn’t invest a lot of their own real World money to get them.

That would be really painful.

It’s also interesting to note that following this the value of Ethereum has actually gone up, maybe because there’s less in circulation now? Or just more people found out about it.

There’s also no real way to fix Ethereum Parity Bug unless Ethereum forks back to before the tokens got wiped out by the bug, which seems pretty unlikely. Also Vitalik has been pretty quiet about the whole thing only tweeting this.

The last crypto thing that most people didn’t know about was that most Bitcoin vendors are actually compromising the supposed Anonymity of using Cryptocurrencies.

Source: The Register

Posted in: Hacking News

,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Comments are closed.