Parity Hacked: More Than 30 Million Dollars Lost

Aug 10, 2017
Vote on Hacker News

Padlock on computer

Parity got hacked??

 

On Wednesday, July 19th, 2017, several Parity multisig (multisignature) addresses were compromised by a group of “MultiSig Blackhat Exploiters.” Since the attack, only 70,000 of the estimated 153,000 stolen ETH has been withdrawn by the blackhat group who was involved.

 

While the client itself was not directly breached, a contract normally used within the client was vulnerable, leaving investor and user funds ripe for the picking by black hat attackers.

 

A number of well-known cryptocurrency and blockchain projects were affected by the vulnerability—so as to say, they lost funds as a result.

 

How did the hack happen?

 

The hack was executed due to a code flaw in the Parity Client. Multi-signature addresses were vulnerable due to a weakness in the Wallet.Sol contract. The specified weakness allowed funds to be transferred without real user permission, resulting in significant losses for individuals with significant funds in one place.

 

While wallets with large sums of tokens were targeted for quick profits, they were not the only addresses hit. Even some projects that had funds spread out between wallets had one or more of their wallets compromised.

 

Which cryptocurrency and blockchain projects were affected?

 

Several cryptocurrency and blockchain projects have been affected. Some projects include AEternity, Swarm City, and Edgeless Casino. These three projects combined reported more than 120,000 ETH by themselves. At the time of the attack, the stolen sum would have been worth $220 per ETH, more than $26 million.

 

Several other projects were reported to have had their multisig wallets compromise, but smaller sums of ETH were taken overall. While the losses are, no doubt devastating, many projects use more than one multisig wallet over the course of their different crowdfunding phases.

 

What happened to the lost funds?

 

More than 377,000 ETH were recovered by white hats after the attack. Not all ETH was recovered, however. It is estimated that roughly 70,000 ETH was converted to other crypto or to fiat and cannot be traced any further. Attackers from this hack are estimated to have taken roughly $14 million.

 

The address used to collect the stolen funds can be found here with a public note that “There are reports that funds were maliciously diverted to this account by the MultiSig Blackhat Exploiters.”

 

Since the incident, Coindesk reports that Changelly had blacklisted the hacker’s root address following a 400 ETH withdrawal, valued at nearly $90,000 at the time of the withdrawal.

 

Will investors be affected?

 

Whether or not token sale participants will be affected will depend on the project. In the case of AEternity, the project has announced that allow donations will be counted as they were before the funds were stolen, so investors will not be directly impacted in terms of token count when tokens are distributed.

 

Other projects may elect to follow in their footsteps, but only individual projects can determine how they will react at this time. Here is a list of some affected projects and a statement from AEternity.

 

What steps can be taken to prevent this type of attack from being used in the future?

 

Some cryptocurrency projects have begun using unique, automatically generated wallet addresses to receive funds from the community. Two such projects are Everex and Agrello. This is far more secure for projects because they can secure funding without having enormous amounts of crypto stored in any given address.

 

Users should always monitor the URL of the site they are on in order to prevent social engineering attacks. Such advice rings true now more than ever, with the attack on CoinDash, as a result of a suspected DNS redirect on the 18th.

 

It is also recommended to store large amounts of crypto on hardware wallets or other cold storage tools to prevent theft in the event of software wallet compromise. Some examples include the Jaxx Ice Cube, TREZOR, and Ledger wallets. Alternatives even come in the form of jewelry and coins with QR addresses stamped onto them.

 

Summary

 

Cyber attacks are occurring with increasing frequency as the cryptospace expands, but as the number of attacks increase, the level of defense for projects must also increase in order to preserve trust in projects. In finance, managing trust is essential. In crypto, managing trust is one of the most pivotal aspects of a project in terms of success or failure.

 

This attack tragically highlights some of the risks involved with investing and operating online. While many individuals and entities are honest and genuine, there are many others who establish very different intentions as well.

 

What is an upcoming ICO that you favor? Let us know on Twitter or Facebook