There have now been two high profile cryptocurrency heists in the space of as many weeks, as hackers reportedly made off with $30 million in Ether last week.
The latest attack exploited a vulnerability in Ethereum wallet client Parity, which allowed the hacker to send funds from multi-sig contract wallet. Multi-sig wallets are designed so that multiple people have control over the keys, and funds cannot be moved unless the majority approve the move with their keys.
A security alert statement by Parity stated that affected users could be ‘any user with assets in a multi-sig wallet in Parity wallet prior to 19/07/17 23:14:56 CEST’.
Users were advised to immediately move their assets to a more secure address.
The attack compromised at least three ether addresses, according to Parity CTO and founder Gavin Wood. He also identified Edgeless Casino, Swarm City and æternity – all of which have recently had ICO projects on Ethereum – as being potential victims of the thefts.
A quick reaction
The $30 million was stolen in a matter of minutes, and it was only due to the actions of members of the Ethereum community that prevented the hackers getting away with a much, much larger haul.
Rapidly analysing the attack, they released that a huge number of other wallets were vulnerable.
The solution? They used the same vulnerability exploited by the hackers to hack the remaining wallets and drain them of resources before anyone else could get to them. In other words, the good guys robbed the bank in order to stop the bad guys from getting there first.
It is important to note that the vulnerability that was exploited was in the default smart contract code given to users rather than in Parity or Ethereum itself.
You can read an in-depth breakdown of the mechanics of the attack here.
The code in question was the result of a collaboration between Ethereum, open-source community members and Parity.