Another day, another cryptocurrency heist: this time, the attacker has stolen some $30 million in ether (ETH – value token of the Ethereum blockchain) from a number of vulnerable multisig Parity Wallets.
The attack and the current situation
The zero-day vulnerability that allowed the theft is actually present in Parity Wallet’s variant of the standard multi-sig (multi-signature) contract (and has already been fixed), but not before a group of professed whitehats has used it to drain many other vulnerable multisig wallets of their contents, for a total of 377 ETH, currently around $77.5 million).
The White Hat Group says that their action was done with the help of the “greater Ethereum Community that helped finding these vulnerable contracts,” and with the intention of protecting the funds from the original attacker.
They publicly identified the account holding the “rescued” funds, and asked holders of multisig contracts that were drained to be patient.
“We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there,” they said. “Effectively we will upgrade your multisig contract for you, all you will have to do is, be patient, find your new multisig address once we have finished, and it will be like nothing happened.”
Some of the wallets drained by the original attacker belonged to Edgeless Casino, Swarm City, and æternity, three projects built on Ethereum.
Blocktix also announced that one of their wallets has been hit by another attacker (or the original one using another address to which he or she delivered the stolen funds).
Zeppelin Solutions’s Santiago Palladino has more technical details of how the Parity multisig wallet exploit works, but in short: the attacker exploits the vulnerability to first obtain exclusive ownership of the multisig account (wallets that usually require multiple private keys to activate), and then simply moves the funds to another wallet.
He or she has already started distributing the stolen money to other many Ethereum wallets.
Advice for affected and non-affected users
Parity founder Gavin Wood has advised non-affected users to “immediately move assets contained in the multisig wallet to a secure address.”
Tyler Moffitt, Senior Threat Research Analyst at cybersecurity firm Webroot, says that the most secure place to put those funds are hardware or native wallets (desktop wallets).
“Do NOT store lots of currency in exchanges that control your private address. Only use them to make trades then back out to safe addresses,” he advises.
“The key takeaway from this hack is that we’re still exploring the Ethereum space and wallet security is more important than ever. This latest incident has serious ramifications. In fact, ETH price has actually taken a dip, and is likely due to the uncertainty around this breach,” he noted.
Users that have been affected are advised to see who actually drained their wallets. If it’s the White Hat Group, there is a chance they will see their “money” again. If it’s the attacker, I think it’s pretty sure they, unfortunately, won’t.