Ethereum Parity Bug Destroys Over $250 Million In Tokens

If you are into cryptocurrency or blockchain at all, you will have heard about the Ethereum Parity Bug that has basically thrown $280 Million value or more of Ethereum tokens in the bin.

Ethereum Parity Bug Destroys Over $250 Million In Tokens

It’s a bit of a mess really, and a mistake by the developers who introduced it after fixing another bug back in July to do with multisig wallets (wallets which multiple people have to agree to transactions).

You can see the thread on Github here: anyone can kill your contract #6995

There’s a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity’s wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.

Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user calling themselves devops199 had “accidentally” triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods’ own savings.

Multi-signature wallets mean more than one person has to sign off on a transaction before funds are moved, and are popular with companies and investment groups looking to protect their assets. Unfortunately, Parity’s technology is seriously flawed: in July a hacker managed to exploit errors in the multi-signature code to steal about $30m in Ethereum.

In response to that cockup, rity updated its wallet software to address the vulnerability, and rolled out a new version. However, that update contained another disastrous bug, one that would lock people out of their wallets. It was set off by devops199 on Monday, affecting anyone who had installed the new code since its release.

So far it seems this Ethereum Parity Bug has affected 573 wallets, which is quite a lot – shown on the tool to check if you were affected:

Parity MultiSig Freeze Tool

This includes the loss of $90 Million or so owned by the Parity wallet owner and Etherum core developer Gavin Woods.

“That code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function,” Parity’s advisory stated.

“It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

In a series of posts on GitHub, devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update.

A full list of 70-odd affected wallets has been uploaded to Pastebin.

Parity has confirmed the above sequence of events leading to this week’s catastrophe with The Register. So far there’s no response on whether it will be possible to unlock the wallets, or if there are any plans to recover punters’ digital dosh. We’ll post more information when it becomes available.

That’s a lot of money that just went in the bin and I’d guess a whole bunch of angry people just went from being millionaires to nothing. I hope those with a lot of coins, who suffered a loss, didn’t invest a lot of their own real World money to get them.

That would be really painful.

It’s also interesting to note that following this the value of Ethereum has actually gone up, maybe because there’s less in circulation now? Or just more people found out about it.

There’s also no real way to fix Ethereum Parity Bug unless Ethereum forks back to before the tokens got wiped out by the bug, which seems pretty unlikely. Also Vitalik has been pretty quiet about the whole thing only tweeting this.

The last crypto thing that most people didn’t know about was that most Bitcoin vendors are actually compromising the supposed Anonymity of using Cryptocurrencies.

Source: The Register

Posted in: Hacking News


Latest Posts:

APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.

Comments are closed.