
153k Ether Stolen in Parity Multi-Sig Attack - campbelltown
https://etherscan.io/address/0xb3764761e297d6f121e79c32a65829cd1ddb4d32
======
int_19h
Just skimming through the Solidity docs, I see a lot of unwise decisions there
aside from the weird visibility defaults.

All state is mutable by default (this includes struct fields, array elements,
and locals). Functions can mutate state by default. Both are overridable by
explicit specifiers, much like C++ "const", but you have to remember to do so.
Even then, the current implementation doesn't enforce this for functions.

Integers are fixed-size and wrap around, so it's possible to have overflow and
underflow bugs. Granted, with 256 bits of precision by default that's harder
to do than usual... but still pretty easy if you e.g. do arithmetic on two
inputs.

Operators have different semantics depending on whether the operands are
literals or not. For example, 1/2 is 0.5, but x/y for x==1 and y==2 is 0.
Precision of the operation is also determined in this manner - literals are
arbitrary-precision, other values are constrained by their types.

Copy is by reference or by value depending on where the operands are stored.
This is implicit - the operation looks exactly the same in code, so unless you
look at declarations, you don't know what it actually does. Because mutability
is pervasive, this can can have far-reaching effects.

Map data type doesn't throw on non-existing keys, it just returns the default
value.

The language has suffixes for literals to denote various units (e.g. "10
seconds" or "1000 ether"). This is purely syntactic sugar, however, and is not
reflected in the type system in any way, so "10 second + 1000 ether" is valid
code.

Statements allow, but do not require, braces around bodies. This means that
dangling "else" is potentially an issue, as is anything else from the same
class of bugs (such as the infamous Apple "goto fail" bug).

Functions can be called recursively with no special effort, but the stack size
is rather limited, and it looks like there are no tail calls. So there's the
whole class of bugs where recursion depth is defined by contract inputs.

Order of evaluation is not defined for expressions. This in a language that
has value-returning mutating operators like ++!

Scoping rules are inherited from JS, meaning that you can declare variables
inside blocks, but their scope is always the enclosing function. This is more
of an annoyance than a real problem, because they don't have closures, which
is where JS makes it very easy to shoot yourself in the foot with this
approach to scoping.

~~~
vog
I never understood why they chose such a hacky language (an a VM model that
encourages these kinds of languages), and expect people to write supposedly
secure (in the sense of: obviously correct!) code with it.

Any remotely popular functional programming language created over the last
years shows a better design (and taste) than this one.

And if that only attracts a certain type of programmers? (pun intended) That
is, programmers valuing languages like Haskell/OCaml/F#/Kotlin/Rust, who would
only ever touch C with verified compilers and 5 different static analysis
tools?

Well, that's exactly kind of people you to attract to write your security-
sensitive code.

~~~
avaer
99 out of 100 questions.

Solidity is ostensibly designed to let people write smart contracts for
Ethereum.

More realistically, it is a marketing tool for enabling and onboarding people
onto the Ethereum platform, which Ethereum benefits monetarily (enormously so)
from. Security and design are secondary goals to the extent that they help
prevent disasters which hurt adoption or churn developers away.

Through this lens it's not a mystery why the language is "hacky". Perhaps
being a good language is not even the driving goal.

~~~
vog
_> 99 out of 100 questions._

Curious question of a non-native speaker: What does this phrase mean? (in
general, and in this context)

~~~
jaytagdamian
[http://persuasive.net/what-is-the-answer-to-99-out-
of-100-qu...](http://persuasive.net/what-is-the-answer-to-99-out-
of-100-questions/)

~~~
boycaught
Brilliant... and so true!

------
earlz
Here's the root error I believe:
[https://github.com/paritytech/parity/blob/master/js/src/cont...](https://github.com/paritytech/parity/blob/master/js/src/contracts/snippets/enhanced-
wallet.sol#L216)

The initWallet function should have been marked internal, but was instead not
marked. Unmarked functions default to public in Solidity, so anyone can call
that function and reinitialize the wallet to be under their control

~~~
dna_polymerase
I can literally feel how Ethereum changes the law. I mean, seriously, no need
for lawyers anymore. On ethereum it's is simple: You got fucked, live with it.
"Bad faith? It's the code, didn't you read it?"

~~~
tzs
I realize that was probably satire or sarcasm or both, but since I've seen
people actually _seriously_ take that position I'm going to go ahead and
respond as if it was serious.

How do these smart contract deal with the real world? I can see how they can
work for things that entirely involve activities that take place on the block
chain (e.g., a smart contract that automatically pays a crowd funded project
if and only if it meets a threshold for pledges by a deadline, and refunds the
donors otherwise).

But suppose our contract is something like I will pay you $X in Ethereum when
you deliver to me 125 bales of Surat cotton, guaranteed to be middling fair
merchant's Dhollorah [1], delivered at the Liverpool docks from Bombay on the
next sailing of the Peerless.

How do we put all of that into a smart contract? Can a smart contract trigger
payment only when the cotton arrives? Can it check to make sure it arrived on
the ship specified in the contract?

And what happens if it turns out that there are _two_ ships named Peerless,
unrelated to each other, one of which is sailing from Bombay to Liverpool in
October, and one in December? I only know about the December one, and it is on
that one that I'm expecting the cotton. You only know about the October one,
and so it is on that one you send the cotton. The cotton arrives before I'm
ready to deal with.

Unless dealing with all that can be included in the smart contract, and
executed by the smart contract without human intervention, lawyers will still
be needed...and they will be needed almost as much as they are now.

PS: my cotton hypothetical is based on a real case: Raffles v Wichelhaus, EWHC
Exch J19, (1864) 2 Hurl & C 906. There really were two unrelated ships both
having and neither deserving the name Peerless, and both working the India /
England trade routes, both scheduled for Bombay to Liverpool, one in October
and one in December.

[1] Dhollorah is a very dirty cotton of a longish staple, which when cleared
is very white, as if bleached. For for more than you probably ever wanted to
know on this and other types of cotton, see the book "Cotton Spinning and
Weaving: A Practical and Theoretical Treatise" by Herbert Edward Walmsley,
page 71. It's from the late 19th century and is public domain now I believe,
and you can find it on Google Books.

~~~
sniffles
Didn't you just describe an example where the ambiguity of human language is a
problem and a smart contract may actually have a better chance of performing
as expected?

~~~
runeks
Why do you asssume smart contracts can't be ambiguous? A lot of people read
the DAO contract, and yet it took a hacker a while to find a small error -- if
I recall correctly it was a capitalization error -- that triggered an
unexpected exit path.

At some point you have to ask yourself whether we really prefer that code be
law, with the quality of code that's so common these days, or whether we
actually like being able to specify something to a lawyer -- rather than a
computer -- simply because the lawyer will return the contract and ask for
clarification if something is ambiguous/unclear.

The human-to-lawyer interface is the best contract interface that exists, the
only reason we use computers is because they're so cheap and fast. When we
dream of AI we dream of having a computerized lawyer, who can ask clarifying
questions and resolve ambiguity _before_ it becomes a problem.

------
finnh
I've posted this before [0], but it's still apropos regarding the foolishness
that is Ethereum.

[Ethereum] only makes sense if all of the following obtain:

(a) the code is 100% bug-free (b/c accidents cannot be rewound)

(b) all code-writers are 100% honest (their code does what they say)

(c) all contract participants are 100% perfect code readers (so as to not
enter into fraudulent contracts)

(Strictly speaking, only one of (b) and (c) needs to be true).

None of these conditions will ever obtain.

[0]
[https://news.ycombinator.com/item?id=14471465](https://news.ycombinator.com/item?id=14471465)

~~~
grandalf
Not really true. Nothing has to be perfect if there is insurance
infrastructure. People should not use contracts they have no reason to trust.

As a contract becomes more important it should be viewed/vetted/trusted by as
many entities as possible. Users of the contract should pay an insurance fee
that goes to the vetters, who promise to reimburse in case of unpredictable
behavior.

Yes, this means applying some meatspace solutions to Ether. However the smart
contract infrastructure itself is ideal for implementing this. Ethereum offers
immutability, and blockchains can foster new kinds of trust, but trust still
has to grow organically in the ecosystem.

~~~
sbierwagen
Damn, you're right. And if people use smart contracts to do things that are
technically allowed, but have unexpected downsides, we should have a review
system in place where impartial third parties review the contract language.
Two people should be assigned to speak for and against the unexpected
behavior, and then maybe a panel of 12 regular citizens could render the
actual verdict.

~~~
Pulcinella
This is the central, glaring flaw in cryptocurrencies to me. Transferring
"value" for goods and services is really more of a social problem than a
scientific/engineering one.

Money is a social technology that solves a social problem. Cryptocurrency is a
engineering technology in search of a problem to solve.

~~~
grandalf
> Transferring "value" for goods and services is really more of a social
> problem than a scientific/engineering one

Do you mean on the margin where there is debate about the contract or whether
the goods/services were rendered adequately?

Cryptocurrencies don't attempt to solve this problem at all, they simply allow
for efficient moving of currency between parties without the need for
meatspace regulation/trust to do it.

Smart contracts make sense with a blockchain because now humans can agree on
specific contract behavior that is fixed due to the highly prescribed way a VM
will process it. This doesn't mean that humans will or should blindly trust a
smart contract to do what some third party claims it will do.

But unlike meatspace, there is one VM that matters, contracts and oracles can
earn a reputation as being trustworthy, and established patterns can be
executed with incredible efficiency and fairness.

The issue that presents a challenge for all systems (cryptocurrencies and
meatspace institutions) is bootstrapping. Some people will get burned in the
beginning because fraud will be temporarily easier to commit. This is why I
wish the DAO had just been allowed to die without the hard fork. What is
needed is not innovative crowd funding schemes, but additional trust and
vetting infrastructure.

~~~
zdkl
Shame on whoever considers himself familiar with cryptocurrencies that
downvoted this. This is a well worded argument for an opinion that one may or
may not share, but whatever one's position about the "true believers" of smart
contracts the parents points are valid, on topic and sensible.

Btc isn't here to pay your coffee or your salary, it's here as a fallback if
you really need to get out of traditional finance. Same with ETH. You're not
supposed to switch all your banking, notarial or legal affairs to the platform
but it's there for cases where traditional contract law isn't desirable.

Now why so many people ascribed additional meaning or value to these platforms
is the really interesting part. In a way, it's good these hacks happen as a
reminder that this is what you signed up for. It's the wild west and you don't
have a court or government watching your back. That's a (the) feature.

------
aresant
From the post mortem (1) -=>

\- A hacker managed to exploit a ICO multisig wallet vulnerability and drain
44,055 ETH - $9,119,385 at present.

\- A white hat showed up and "saved" 377,000 ETH - $78,039,000 !!! - by
draining other accounts.

I get the "see cryptos are too insecure / it's a pyramid / it's a bubble /
ICOs are scams / etc" arguments.

But holy shit turning a world currency into the wild west - for better or
worse - is going to be disruptive, period.

That $10m out the window is like a Series A for a nefarious hacker with deep
crypto skills, what does this success embolden or create?

I can only imagine the debacles that we have to look forward to, and I say
that in full support of and as a long term believer in both blockchain and
cryptocurrencies.

(1) [https://press.swarm.city/parity-multisig-wallet-exploit-
hits...](https://press.swarm.city/parity-multisig-wallet-exploit-hits-swarm-
city-funds-statement-by-the-swarm-city-core-team-d1f3929b4e4e)

~~~
sillysaurus3
The real lesson is: don't store your coins on a third party _anything_.

This was a third-party wallet. Everyone used it because everyone else used it.
Exactly like Mt Gox. There was no reason to store coins on Mt Gox, just like
there was no reason to use this wallet.

A moment's reflection would have prevented this foolish decision.

~~~
ChrisClark
This wasn't a third party wallet actually. It is the local Parity wallet and
node. What this was, was a bug in the multisig contract that Parity would give
you to deploy. So it is a contract you personally deploy onto the ethereum
network and then interact with. You do own it, you own the private keys for
the address, etc.

But the bug allowed any other address to add themselves as owners and withdraw
from it.

Luckily not many people used it and the white hat was able to claim all the
rest before anyone else.

~~~
mpeg
Exactly, you are deploying code to the cloud that you didn't write and
trusting it with your money.

So many things wrong about that, it's the cryptocurrency equivalent of
installing random software packages on your critical servers.

~~~
zfran
actually the best practice is not writing your own code and using thoroughly
audited industry standards. Writing your own smart contracts for things that
other people have already done and secured is akin to rolling out your own
cryptography. Obviously, just like it's happened with openssl in the
cryptography equivalency, this can also go wrong, but it's less likely.

If you write your own you should get your code audited by a specialist, or
many, before deploying.

------
doener
"my favorite part of this latest ICO hack is that it appears to have gone to
same wallet as the dao hack ....."

[https://mobile.twitter.com/IamNomad/status/88777698177709261...](https://mobile.twitter.com/IamNomad/status/887776981777092613?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fredcursor.net%2F)

"incredible plot twist: whitehat hacker supposedly saved most tokens from
being stolen using the same vuln."

[https://mobile.twitter.com/bcrypt/status/887775417406431232?...](https://mobile.twitter.com/bcrypt/status/887775417406431232?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fredcursor.net%2F)

"Multisig wallets affected by this hack: \- Edgeless Casino (@edgelessproject)
\- Swarm City (@swarmcitydapp) \- æternity blockchain (@aetrnty)"

[https://mobile.twitter.com/maraoz/status/887755889897295872?...](https://mobile.twitter.com/maraoz/status/887755889897295872?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fredcursor.net%2F)

~~~
sillysaurus3
_my favorite part of this latest ICO hack is that it appears to have gone to
same wallet as the dao hack ....._

Any proof of this?

EDIT: This appears to be false. From
[https://blog.ethereum.org/2016/06/17/critical-update-re-
dao-...](https://blog.ethereum.org/2016/06/17/critical-update-re-dao-
vulnerability/)

 _The leaked ether is in a child DAO
at[https://etherchain.org/account/0x304a554a310c7e546dfe434669c...](https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490)
_

But that site shows the account hasn't received anything since July 8.

~~~
sna1l
Yeah, the tweet and subsequent replies are absolute garbage.

------
cl0rkster
A much more useful explanation: [https://press.swarm.city/parity-multisig-
wallet-exploit-hits...](https://press.swarm.city/parity-multisig-wallet-
exploit-hits-swarm-city-funds-statement-by-the-swarm-city-core-
team-d1f3929b4e4e)

~~~
calafrax
> The Swarm City Core team is more committed than ever to the development of
> Swarm City. The real value of our token lies in the community, and the
> technology the developers are creating. Black hat hackers, vulnerabilities,
> and bugs will not stop us from creating the decentralized sharing economy
> our community and the world craves.

What?!? That seems like a pretty relaxed response for someone who just lost 8m
dollars.

~~~
lightbyte
Their whole statement is pretty concerning. They do not seem to be taking
responsibility for writing a very basic and obvious bug that lost them
millions of dollars. That'd end most companies.

------
ericb
As Charlie Lee said:

If the creator of Solidity, Gavin Wood, cannot write a secure multisig wallet
in Solidity, pretty much confirms Ethereum is hacker paradise.

[https://twitter.com/SatoshiLite/status/887781929726038016](https://twitter.com/SatoshiLite/status/887781929726038016)

~~~
runeks
I'm confused. Did Gavin Wood write the code for the Parity wallet, forgetting
that he had created a language where function visibility defaults to "public"?

~~~
drcode
Charlie Lee is wrong: The bug was introduced by another, less experienced,
developer submitting a commit to the repo (though of course Gavin Wood
arguably still bears some responsibility as leader on the parity project)

------
joshschreuder
Let's play hypotheticals.

If you were the attacker and you now have the ETH in your wallet, how do you
cash out without anyone identifying you and maximising your profits?

Also has the attacker broken a law by exploiting a bug in the contract?

~~~
Woofles
IANAL but if someone leaves their front door open, it's still illegal to walk
in and take their possessions. I would imagine this falls under a similar
ruling.

~~~
0x0
In most cases yes, but isn't ethereum all about "the code __is__ the
contract"? If you as the owner of a house put an ad in the paper saying "if
you can manage to enter my house feel free to take whatever you want", should
you complain if someone did exactly that?

~~~
albertgoeswoof
Yes because that would still be a crime. Expanding on your analogy - if I
declare right now that it's ok to murder me, it's still not ok to come and
murder me. Same principle applies to EULAs and Terms of Service, you're not
bound to it just because it's in there.

If the hacker was entitled to those funds based on the agreement between the
concerned parties (implicit OR explicit in the contract) it would not be
theft. But it clearly isn't their Ether and the implicit agreement behind the
contract stands.

Basically human ethics, morals and the legal system will always trump code.

~~~
philh
> Yes because that would still be a crime. Expanding on your analogy - if I
> declare right now that it's ok to murder me, it's still not ok to come and
> murder me.

The comparison to murder doesn't work because you can't consent to murder, but
you can consent to theft.

It's not clear to me whether that situation would be taken as consent, but
unless you know something I don't, it probably shouldn't be clear to you
either.

~~~
albertgoeswoof
How do you consent to theft?

~~~
philh
By giving something to someone.

I mean, legally, what happens is not "consenting to theft". Unlike say
assault, which you can consent to, and legally speaking an assault actually
happens but consent makes it okay; but with theft, if you consent what happens
is not legally theft. (IANAL, but this is my recollection from law A-levels.)

But that distinction is irrelevant here. The point is that there's basically
no way for someone to deliberately kill someone and have it not be a crime.
But there are ways for someone to take someone else's stuff and have it not be
a crime, and one way is if the owner consents.

~~~
albertgoeswoof
and in this case the owner didn't consent, regardless of the contract's
contents

~~~
philh
Under US law, I think that's probably true, but a) it's not what I was talking
about, and b) I don't think you should be as confident as you seem to be.

------
notsofastbuddy
Parity shipped with a built-in Solidity contract to implement multi-sig
wallets. That contract had a vulnerability that is now being exploited.

Importantly, the contract is not part of the Ethereum protocol, so other
implementations and non-multi-sig Parity wallets are safe.

~~~
saghm
> Importantly, the contract is not part of the Ethereum protocol, so other
> implementations and non-multi-sig Parity wallets are safe.

Safe from this bug, maybe. But there's nothing to say that they might not also
have bugs of their own.

------
sna1l
[https://etherscan.io/address/0x1dba1131000664b884a1ba2384641...](https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a)
\-- white hat group exploited the vuln and are holding people's crypto for
them.

~~~
Deimorz
I don't follow Ethereum closely at all, but I don't really understand a few
things about this:

\- Who's the "white hat group"? Why do people have confidence in it?

\- Why does everyone believe they'll give back $75M+? If they decided to just
keep it, what could anyone do?

\- How will people even be able to claim ownership of the ETH in a way that's
verifiable so they know they're giving it back to the right person?

~~~
draw_down
The question makes sense, but really why do people have confidence in any of
this, you know what I'm saying?

~~~
oh_sigh
You don't really have a choice right now. Either trust them and wait to see if
your eth is returned, or start rabblerousing for yet another hard fork to undo
this 'hack'

------
matt_wulfeck
I'm sure they'll just hard fork again. And nobody cares because ethereum isn't
actually being used for anything real, just a bunch of enthusiasts trying to
get rich.

~~~
codewiz
How is rolling back transactions that are clearly part of a robbery a bad
thing?

~~~
swsieber
Because it's rolling back transactions that were done under "the law" (e.g.
the ether contract stuff) by human intervention when the entire draw of the
ether contract stuff was the promise of _no human intervention_

~~~
resf
In a blockchain, the participants in the network have unlimited authority to
modify the "law" of the blockchain, even retroactively.

If there is sufficient consensus among Ethereum users for a hard fork, then it
can happen.

~~~
oh_sigh
Yes, and that 'feature' of block chains is never really touted by blockchain
supporters. Basically, if 51% of the network think you have too much money,
they can just take it from you with no recourse available.

~~~
cesarb
> Basically, if 51% of the network think you have too much money, they can
> just take it from you with no recourse available.

That's not how it works. Even if you had 99.99% of the hash rate, you still
have to work within the rules of the chain, so a "give me your money" without
a valid signature would still be rejected as invalid by every full node (and
you just wasted your hashing power). What having 51% or more of the hash rate
allows is a double spend attack: you can undo recent transactions, so you can
spend a coin twice.

But the rules of the chain can be changed. If for instance 90% of the full
nodes decide to change their software so that "give me your money" is now
valid in some special circumstance X even without a valid signature, and that
"give me your money" transaction is sent to the network, these 90% of the
nodes will allow it to be added to the chain, and let the chain grow on top of
it; while the other 10% will grow a separate chain on top of the last block
without the "give me your money" transaction. Soon, each side has an
incompatible view of which transactions are in the blockchain; this is called
a "hard fork". And if the minority side is small enough, it will no longer
matter if they still say you have your money, since everyone else you want to
transact with will say you don't.

That's what blockchain proponents tend to omit: the blockchain is a social
construct. Its rules are fixed as long as the majority of participants want
them to be. When they decide to change the rules, like that time when the
Bitcoin developers fixed a database bug which changed the validity of some
blocks, the rules will change. Even retroactively.

~~~
resf
It seems to me that large blockchains^ are some of the most _stable_ social
structures in existence. The rules of Bitcoin have been in place for 8 years
with only minor modifications, despite huge sums of money passing through the
system.

This compares very favourably with other social structures, such as nation
states, especially _8 year old_ nation states.

^ Large as in Bitcoin and Ethereum, smaller networks are much easier to
manipulate.

~~~
CPLX
> It seems to me that large blockchains^ are some of the most stable social
> structures in existence. The rules of Bitcoin have been in place for 8 years

Indeed. Makes the Swiss federation and the King James Bible look quaint
doesn't it.

------
pietrofmaggi
This is the most useful explanation I've found about the vulnerability so far:
[https://blog.zeppelin.solutions/on-the-parity-wallet-
multisi...](https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-
hack-405a8c12e8f7)

The explanation is a bit scary about what actually ended up in parity code:

 _The wallet contract forwards all unmatched function calls to the library
using delegate call... This causes all public functions from the library to be
callable by anyone, including initWallet, which can change the contract’s
owners._

Edit: formatting

------
icelancer
Black hat hackers nabbed $31MM in ETH. Not a bad payday due to a coding error.

[https://etherscan.io/address/0xb3764761e297d6f121e79c32a6582...](https://etherscan.io/address/0xb3764761e297d6f121e79c32a65829cd1ddb4d32)

~~~
state
This whole crypto currency thing has an incredible bug bounty program.

~~~
puranjay
Hacking crypto currencies is the new Series A for smart programmers, I guess.

------
lawrenceyan
Silver lining:
[https://etherscan.io/address/0x1dba1131000664b884a1ba2384641...](https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a)

Looks like about +300,000 ether was able to be drained before it could be
stolen thanks to a white hat group.

~~~
ricardobeat
Only good if they can keep the group together after amassing 70+ million
dollars.

------
djhworld
On the parity website they state the following

> Every single line in our codebase is fully reviewed by at least one expert
> developer (and routinely two or more) before being placed in the main
> repository. We strive for excellence; static code checking is used on every
> compile to cut out bad idioms. Style is enforced before any alteration may
> be made to the main repository. Continuous integration guarantees our
> codebase always compiles and tests always pass.

~~~
5chdn
Confirming this always was and still is the case. (Working for Parity.)
However, this does not guarantee that such mistakes happen.

------
dvcc
Can someone explain how immutable contracts get updated? From what I
understand you can have one contract forward requests to another, and you can
use some storage in the forwarding contract to determine the real target
contract. But why would someone participate in a contract that is mutable?

I guess I am just wondering how this contract can be updated, given its on the
blockchain and considered immutable.

~~~
pimeys
There are architectural ways as you said, but basically you don't update them.
You know the possible bugs, you document the contract, methods and your
process early on, you write tons of tests, use auditing tools, do code review
with the team, hire somebody to audit your code, test it with bounties,
implement emergency stops and speed bumps and some proper monitoring.

When it's about your money, you should be able to do all that.

And yes, Solidity is pretty horrible. I hope there will be better options such
as Idris in the future.

------
nkrisc
Just thinking hypothetically here as a coin novice: could a bug like this
theoretically have been implemented intentionally? If the code is the law, and
the code is sufficiently complex, couldn't it be feasible to dupe people?

~~~
SittingTemplar
Yes. Contracts are only as secure as the people interpreting them, and when
people can't interpret them because they're code, suddenly you need third
parties to interpret them and then you've got to pay third parties to do this
efficiently and suddenly you've reinvented the concept of being a lawyer.

------
swamp40
The begging in the comments section, along with their wallet ID's, looks like
a glimpse of the internet 100 years into the future.

------
o-
I believe from looking at the fix [0] I was able to trace back the origin of
the bug. This is my (unverified) theory. Can anybody familiar with serpent
confirm?

There is a catch-all [1] function in the public API (why???) of the wallet
contract which uses delegatecall to delegate to the library class.

"In a similar way, the function delegatecall can be used: the difference is
that only the code of the given address is used, all other aspects (storage,
balance, ...) are taken from the current contract." [2] (again, WHY???)

So calling through this catch-all function the "internal" modifier on
"initMultiowned" does apparently not prevent it from being called, since the
delegation happens from a function inside Wallet.

So the "attack" is to just tell the wallet to reset its owners to myself. This
would be so embarrassingly trivial, that it's more like picking the money up
from the floor, than a "heist".

This wallet contract is insane and the programming language too. Why would a
language for such a critical application have such super unsafe constructs?
This can't be true. Please, serpent community, talk to your local PL people!

[0]
[https://github.com/paritytech/parity/pull/6103/files](https://github.com/paritytech/parity/pull/6103/files)
[1]
[https://github.com/paritytech/parity/blob/02d462e2636f1898df...](https://github.com/paritytech/parity/blob/02d462e2636f1898df3e7556364260c594b112e6/js/src/contracts/snippets/enhanced-
wallet.sol#L426) [2]
[https://solidity.readthedocs.io/en/develop/types.html#addres...](https://solidity.readthedocs.io/en/develop/types.html#address)
[3]
[https://github.com/paritytech/parity/blob/02d462e2636f1898df...](https://github.com/paritytech/parity/blob/02d462e2636f1898df3e7556364260c594b112e6/js/src/contracts/snippets/enhanced-
wallet.sol#L107)

------
jondubois
The problem with Ethereum is that it's just way too complex. The more complex
something is, the more bugs and vulnerabilities there are going to be.

------
niahmiah
Let me guess... another hard fork to undo this.

~~~
lettergram
Hard fork can't even undo this, from my understanding.

~~~
olegkikin
I'm pretty sure a hard fork can undo anything on the block chain. You can
start over from the block before the hack. There's probably a cleaner solution
than that though.

~~~
csomar
The problem is, how do you reassign the funds after the hardfork? The funds
are attached to addresses and not persons.

~~~
pyrale
You can revert the funds to the address that paid into the contract in the
first place, since transactions are public.

~~~
csomar
That wouldn't move the money to their rightful owner but to the previous
owner.

~~~
olegkikin
I don't think that's correct. If you only revert the stolen money transactions
and all the branches of them since, almost nobody loses. The few stolen ETH
that got sold will be a loss, but it's nothing compared to $35M.

~~~
csomar
And you'll revert them to what? the buggy contract?

~~~
olegkikin
It's a hard fork. The contract would be fixed. But you could also send the
victim's money anywhere, just ask the victim where they want it, there are
only 3 major ones.

------
ericb
No rollback this time. The chain with this hack must have the longer Proof-Of-
Vitalik.

[https://twitter.com/VitalikButerin/status/887782650026631168](https://twitter.com/VitalikButerin/status/887782650026631168)

------
theptip
Can someone explain to me why you would want a smart contract for multi-sig?
This is a feature that can be implemented easily off-chain, i.e. using split
keys (Bitcoin has had this approach for some time).

Seems like having this complex logic on-chain is asking for it to be
exploited.

------
tudorw
Entropy, not something you want from a currency, also, paper money is not
magic, it's a network of trust. I think block chain applications are out
there, I just don't think cryptographic currencies are their best use.

------
abhi3
For some context: [http://www.coindesk.com/30-million-ether-reported-stolen-
par...](http://www.coindesk.com/30-million-ether-reported-stolen-parity-
wallet-breach/)

------
e79
The vulnerability was extremely simple, as suggested by the three keyword-long
patch. I've written about this and other Solidity/EVM bugs from a technical
perspective, if anybody is curious:

\- [https://ericrafaloff.com/parity-multi-sig-contract-
vulnerabi...](https://ericrafaloff.com/parity-multi-sig-contract-
vulnerability/)

\- [https://ericrafaloff.com/analyzing-the-erc20-short-
address-a...](https://ericrafaloff.com/analyzing-the-erc20-short-address-
attack/)

I think at least a big part of the solution to these security problems is two-
fold:

\- More secure conventions. All of the gotchas in Solidity make for a bad
time. Even non-security bugs create a bad developer experience. Opting into
private functions by default

\- More code review. Engineers need to be diligent or hire security
professionals who are (I'm one).

------
ericfrederich
Is this even illegal? Or just frowned upon? It seems this is just one big
game, you find the weakness and you profit.

~~~
eqmvii
Theft of property is illegal in almost all jurisdictions in a very general
sense. It doesn't matter what the property is, and the law doesn't try to
anticipate every possible thing a person could own to specifically prohibit
misappropriating it.

The practical challenges to tracking hackers or 'hackers' stealing digital
currency mean you don't see regular prosecutions, but the ease of getting away
with it shouldn't imply legality.

------
rboyd
you can see that this is also effecting tokens. check the whitehat effort
(Token Transfers / View Token Balances) on this wallet
[https://etherscan.io/address/0x1dba1131000664b884a1ba2384641...](https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a#tokentxns).

$30M worth of BAT, $26M ICONOMI, $17M CFI, $1.4M EOS

historic episode here which is sure to spur many a conversation about what
disclosure means in the blockchain era.

------
redm
The blog announcement from Parity:

[https://blog.parity.io/security-alert-
high-2/](https://blog.parity.io/security-alert-high-2/)

------
ericb
Things like this are why I think Tezos, when/if it comes out, has a bright
future. I want a formal proof for any contract I use with real-money.

~~~
abrkn
Can you provide any reading material into formally proven contracts?

~~~
splintercell
What kind of reading material are you looking for? Formally proven Smart
Contracts would be the same as formally proven non-smart contract computer
programs.

There is a paper[1] written by some researchers on how using a more powerful
language (Such as Idris) could prevent a whole category of errors in smart
contracts development, but it doesn't necessary talk about formal verification
of smart contracts.

1\.
[https://publications.lib.chalmers.se/records/fulltext/234939...](https://publications.lib.chalmers.se/records/fulltext/234939/234939.pdf)

------
jamespitts
Helpful information for users potentially affected by this issue:

\- The vulnerability is in Parity's "enhanced" multi-sig contract

\- This affects Parity 1.5 and later

\- Parity 1.5 was released on January 19, 2017 (have you created multi-sigs in
Parity since then?)

\- The canonical multi-sig contract used in Mist / Ethereum Wallet does NOT
have this vulnerability

\- 0x1db is a community "white hat" sweep effort and not an attacker (See:
[https://etherscan.io/address/0x1dba1131000664b884a1ba2384641...](https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a)
)

------
codewiz
The bug in the wallet contract was fixed one hour ago with this commit:
[https://github.com/paritytech/parity/pull/6102/files/e06a1e8...](https://github.com/paritytech/parity/pull/6102/files/e06a1e8dd9cfd8bf5d87d24b11aee0e8f6ff9aeb)

Parity bug:
[https://github.com/paritytech/parity/pull/6102](https://github.com/paritytech/parity/pull/6102)

------
okreallywtf
In reading the comments I had forgotten what DSL stood for and had to look it
up and it usually means something other than intended here, to save anyone
else the trouble its Domain Specific Language.

[https://en.wikipedia.org/wiki/Domain-
specific_language](https://en.wikipedia.org/wiki/Domain-specific_language)

------
kensey
The great thing about reading this comment thread is that I basically already
read it a couple of weeks ago, because a friend of mine (David Gerard, of
Wikipedia, RationalWiki and Rocknerd Internet fame) let me preview his
forthcoming e-book _Attack of the 50-Foot Blockchain_. There's a whole section
in there about smart contracts, Ethereum, and The DAO that goes over much of
what commenters here have mentioned ("non-reversibility, till it's our money
at stake", the requirement that everyone write and read code perfectly, the
problems with the very idea of immutability in contracts, etc.)

If people are interested, it's on Amazon:
[http://amzn.to/2trOjJS](http://amzn.to/2trOjJS) (I have no financial interest
in it, but I bet a lot of people in this thread would enjoy reading it and/or
writing long diatribes on why he is wrong about everything in it.)

~~~
davidgerard
:-D

Ask me anything ;-) I have, like, a whole chapter about smart contracts which
answers everything about this latest disaster. The idea is that it will be a
handy rhetorical ammo dump for when someone asks you about those blockchain
things and why the business needs them ...

~~~
splintercell
I hope you are mentally prepared for the sheer amount of negative reviews
you're going to get on Amazon.

~~~
davidgerard
Their money is still fiat!

------
abhi3
That's like 30 Million USD at current prices? This is close to the DAO hack in
USD value, not another fork now surely?

~~~
52-6F-62
A hard fork couldn't undo the damage if everybody wanted to. The
exploiter/hacker/scammer, whatever you want to label them, can move ETH into
other coins on exchanges immediately. This will cause an innocent party to buy
them, removing any chance of reversal affecting the person[s] responsible.

During the DAO hack, the funds were prevented from moving anywhere so a hard
fork caused a direct reversal.

That's my understanding, anyway.

~~~
chillydawg
Eth is worth less right now, as there is an implicit chance that all
transactions will be rolled back to a few hours ago. Hence any buyer of ETH
will be getting a fair price for the risk. Wild west all round.

~~~
52-6F-62
None of that is true at all. Rolling it back would do nothing for anybody
affected, so there's no way a consensus would form. That and a majority of the
hacked accounts were prevented loss by whitehats as things look now.

~~~
chillydawg
The probability of rollback is not 0% (or at least it wasn't last night when I
wrote that comment). It might only be 0.2%, but it's not 0%.

------
redm
I'm not sure why everyone is piling on Solidity. At the end of the day, bugs
happen in all languages, to all programmers eventually, and if you want to
point the finger, it has to be at Parity.

If anything, it shows there needs to be a better process for peer review and
some defaults in Solidity should be changed for security.

~~~
bigdubs
It's because even creating Solidity was a choice; why not use a more
established language with a well understood vm?

------
coinme
Better techniques are required. Solidity is clearly not ready to be used to
secure billions of dollars that can be anonymously stolen in an instant. Fuzz
testing should be an absolute minimum. Formal proofs, and a simpler language
should be the ultimate goal.

Hopefully the ethereum foundation takes note because this problem is not going
away, and they are responsible for 20B$ market cap of value. I realise that
ethereum is still young but they have chosen to build a product that can be
used in a multitude of ways without enough thought about how to keep the value
secure. I wouldn't even know where to start when deciding whether it's safe to
use a smart contract, and I understand the concepts well. If ethereum is ever
going to grow into it's current market cap if will have to be safer for use by
everybody.

------
ateevchopra
77 Million were rescued by the white hackers and stored.

[https://etherscan.io/address/0x1dba1131000664b884a1ba2384641...](https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a)

------
samstave
Forgive me for being harsh:

Why is there no "pen-test" phase to any crytocurrency which hits the market.

So, let me understand; you're ostensibly smart enough to (perhaps as a body of
contributors, even) develop a cryptocurrency offering - yet youre also fucking
stupid enough to not have same/wider network of ppl attempt to hack the fuck
out of your plan?

Does this already occur? or some savant comes and owns them?

We have fucking HIPPA FFS and the compliance systems for something as trivial
as my stupid name.

so; ELI5: WTF are currencies doing/not-doing which allow for such hacks (1)
and allow for exploits to go unseen (2)

~~~
52-6F-62
It has nothing to do with any currency or protocol. It was a broken feature in
a piece of software used on the network that was bad. Unfortunately, it was
widely used and somebody caught the fault and exploited it.

It's more like a company's open source software allowing somebody to steal
your bank password. It doesn't have anything to do with USD or the Fed, or
even the bank's larger practices. It has to do with how negligent they were
with regard to a particular feature.

~~~
dahdum
This...it was a poorly written contract just like the DAO was. Parity
developers didn't follow the most basic contract safety steps, and people used
it because they trusted them too much.

Each of these situations is a painful learning experience, but moves the
platform forward.

------
mtgx
So will the devs create another Ethereum fork to recover this money?

~~~
Tepix
Not sure if they can this time. The money isn't locked for several weeks like
it was last time, is it?

------
rjurney
I can't even understand what you are all talking about. Crazy kids. I'm not
even kidding. Usually I can figure out what the topic of conversation is if
I'm not familiar with it, but in this case I'm like three degrees removed from
comprehension.

Sounds like this is all probably dot com bullshit, but maybe something genius
will come out of it that is unforeseen now.

------
curiousgal
Maybe it was a feature not a bug.

------
likeclockwork
If the code of the contract IS the contract, how was anything 'stolen'?

------
rocky1138
How do we know this is stolen? The link doesn't provide much detail.

~~~
sna1l
Seems unlikely that 3 different multi-sig wallets sent so much ETH to the same
wallet.

------
6nf
Time for another hard fork!

------
campbelltown
It appears the hacker has begun moving ether from the account. The number
presented in this link will no longer match the amount in the title. There is
currently 83K ether remaining.

------
viach
Looks like a good motivation to start learning Solidity.

------
codewiz
Can someone ELI5?

I use Parity, I have a wallet contract deployed, it's night and I'm wearing
sunglasses.

~~~
codewiz
Oh shit:
[https://www.reddit.com/r/ethereum/comments/6oalcq/important_...](https://www.reddit.com/r/ethereum/comments/6oalcq/important_wallets_created_with_paritys_multisig/)

------
hohenheim
I wonder, why the black hat didn't drain all the money and left it for the
white hat group?

~~~
sleepychu
Maybe they estimated that this was the proportion that would protect their
gains from a hard fork

~~~
richardknop
I agree. Probably game theory reasons. Don't steal so much it will cause the
community to unite and hard fork. 30 million is enough to retire and probably
not enough to cause hard fork and rollback of txs. They played it safe.

~~~
mullen
I think this is what happened and it makes sense if you think about it. If
they steal enough to get rich but not enough to force a rollback, then they
can keep their ill gotten gains.

30 million is enough for a small group of hackers to live comfortably for the
rest of their lives.

------
kevinwang
Can anyone explain? Don't know what I'm looking at.

~~~
52-6F-62
There was a faulty contract in Parity's multi-sig wallet, which is more like a
vault than a typical wallet.

The page linked to here is the blockchain address of whoever exploited that
fault and was able to take control of a large number of wallets and forward
all of the ETH to their account.

They've sold ~20 ETH so far (~4100 USD), and have ~150,000 sitting at that
address still.

------
sparky_
Didn't they fork the project a while ago due to theft?

------
joeblau
It's being put back:
[https://news.ycombinator.com/item?id=14811534](https://news.ycombinator.com/item?id=14811534)

 _Edit: Without Vitalik or a hard fork._

------
davidw
I miss patio11's posts on these things.

~~~
patio11
Sorry -- been a bit too busy with work and a 5 month old to understand
Ethereum deeply enough to feel like my get-some-popcorn genre of posts would
add value.

On the plus side, Bitcoin popcorn futures continue their steady progress up
and to the right.

------
tbarbugli
how much money is that?

~~~
joeblau
If you click though it says:

    
    
      ETH USD Value:	$31,070,106.18 (@ $203.05/ETH)

------
thecrazyone
the link seems to be down. Did we DDoS it ?

------
draw_down
It's "cynical" to point out these problems will keep happening, but then they
keep happening. So, not much to say.

~~~
drcode
Well yeah, as long as there are cars, people will get in car accidents... That
doesn't mean we should ride horse buggies forever.

------
imron
Don't worry, they can just do another hard fork and get the money back,
amirite?

------
qwertyuiop85
0x2ee4899d44F086e8ee974399f404214de33F9b68 Please donate, I'll go full time
auditing code from now on. WHG member.

------
WhatsName
[https://cryptowat.ch/kraken/ethusd](https://cryptowat.ch/kraken/ethusd)

~~~
jimrandomh
That ticker shows the current price as higher than it was 48 hours ago.

------
qwertyuiop85
0x2ee4899d44F086e8ee974399f404214de33F9b68 Please donate, I'm going full bug
hunting from today on your behalf. WHG dev. S.

