Hacker Steals $30 Million Worth of Ethereum From Parity Multi-Sig Wallets

An anonymous reader quotes a report from Bleeping Computer: An unknown hacker has used a vulnerability in an Ethereum wallet client to steal over 153,000 Ether, worth over $30 million dollars. The hack was possible due to a flaw in the Parity Ethereum client. The vulnerability allowed the hacker to exfiltrate funds from multi-sig wallets created with Parity clients 1.5 and later. Parity 1.5 was released on January 19, 2017. The attack took place around 19:00-20:00 UTC and was immediately spotted by Parity, a company founded by Gavin Wood, Ethereum's founder. The company issued a security alert on its blog. The Ether stolen from Parity multi-sig accounts was transferred into this Ethereum wallet, currently holding 153,017.021336727 Ether. Because Parity spotted the attack in time, a group named "The White Hat Group" used the same vulnerability to drain the rest of Ether stored in other Parity wallets that have not yet been stolen by the hacker. This money now resides in this Ethereum wallet. According to messages posted on Reddit and in a Gitter chat, The White Hat Group appears to be formed of security researchers and members of the Ethereum Project that have taken it into their own hands to secure funds in vulnerable wallets. Based on a message the group posted online, they plan to return the funds they took. Their wallet currently holds 377,116.819319439311671493 Ether, which is over $76 million.

Value of crypto currency

[OrangeTide]

Is all crypto currency over-valued when it is so frequently anonymously stolen?

Not exactly

[rsilvergun]

the value of crypto currencies is based almost entirely on the illicit goods you can buy with them. Mostly Drugs and Ransomware payments. Neither of those things have much in the way of actual costs, which is why you see these crazy valuations. You can afford to 'lose' thousands in crypto currency when all you're really doing with it is buying a few real dollars worth of pot or using it to launder money.

The sad thing is there's plenty of legitimate uses for the tech and the ideas but at the moment they'

Re:

[OrangeTide]

But if all my money is stolen, I can't buy any black market goods, so it doesn't have any value to me.

Re:

[Dunbal]

Which is why instead of putting money into those like all the other nerds you might as well just take it to the casino and bet all that money on black. Or red. Either way you have a 47.4% of walking away with double your money, which is a lot better odds than you'll get by buying into these currencies and hoping you'll be able to get out with a profit. Sure - people have made money. A lot more people have lost money - which is how this works. Expect the "value" of these currencies to see-saw back and forth

Re:

[Tenebrousedge]

The initial value of the cryptocurrency is its use in illegal transactions, yes. It will get legitimacy with volume. I'm resigned to the idea that BitCoin or some rival will eventually be real money in pretty much every sense of the word. Variances are dropping slowly but steadily. I'd give it five or ten more years just to be sure, but don't I think we can bottle this particular genie.

Re:

[Anonymous Coward]

Read this like Abraham Lincoln for best effect

Re:

[ShanghaiBill]

Is all crypto currency over-valued when it is so frequently anonymously stolen?

It was not "stolen". Crypto-currencies are based on the implementing code, and the only "rules" are in the code. So if the code allowed someone to transfer ownership, then that transfer followed the "rules" and is just as legitimate as any other transfer. Just because some people misunderstood the rules, that doesn't make it "wrong" for someone else to follow them to their own advantage.

Re: Value of crypto currency

[Anonymous Coward]

It was not "stolen". Crypto-currencies are based on the implementing code, and the only "rules" are in the code. So if the code allowed someone to transfer ownership, then that transfer followed the "rules" and is just as legitimate as any other transfer. Just because some people misunderstood the rules, that doesn't make it "wrong" for someone else to follow them to their own advantage.

Yes it was stolen. That is the legal and usual definition, taking without the owners' consent.

Your made up redefinition is complete bullshit.

Re:

[ShanghaiBill]

taking without the owners' consent.

The owner is whoever the code says the owner is. Just because you thought you owned it, doesn't mean you do.

Re:

[war4peace]

So... if I break into your bank account and transfer all the money into mine... it's all legal because the code allowed it?

Re:

[epine]

Crypto-currencies are based on the implementing code, and the only "rules" are in the code.

A criteria which classifies 99.99% of the people presently involved with crytocurrency as amateur speculators.

Because in code—which resembles logic, which resembles a peanut brittle bar left outside overnight halfway up Vinson Massif (well, your father's Vinson Massif)—a single thing you don't fully understand can drain your entire wallet.

Re:

[Khashishi]

Err, that sounds a lot like stolen to me.

Re:

[hoggoth]

Word game fail.

Cash also has similar rules: He who holds the cash owns it, in the sense that he can spend it.
And yet, we still call it theft when someone takes your case without your permission.

Whew

[JustAnotherOldGuy]

Thank goodness I put all my money into tulips.

Re:

[Tyler Whitlock]

Tulips just got hacked

Re:

[Anonymous Coward]

pruned

Re:

[fredrated]

Woosh!

Re:

[JustAnotherOldGuy]

then you're the idiot because tulips are easily hacked with genetic shit and roses pay more...

Oh noes, you found the fatal flaw in my master financial plan.

Re:Whew

[blindseer]

For those that didn't get the joke I suggest reading a little history. This might help:
https://en.wikipedia.org/wiki/... [wikipedia.org]

I need some!

[DogDude]

This fake currency stuff sounds great! So easy and hassle-free. Where do I get some?

Re:

[amicusNYCL]

Well, apparently there were 530,133 "units of Ether" sitting out there for the taking, but they've all been stolen. Better luck next time.

This sucks for the Ethereum miners

[rsilvergun]

but it's good news for anyone looking to buy a new graphics card. The GTX 1060 6gb I bought on sale for $220 in February is pushing $450-$500. Not sure if that's miners or scalper's preying on them but it sucks either way.

Re:

[AmiMoJo]

On the other hand, as soon as the prices crashes there will be a flood of cheap high end GPUs on the market. Trick will be getting one of the later ones that hasn't been run hard 24/7 for months.

Price going down

[campuscodi]

Price going down >>> Time to buy

Ethereal

[Hognoxious]

Ether is ethereal? Whodathunkit?

2a : lacking material substance [merriam-webster.com]

First suspect is Capital One

[Dunbal]

After all, they're always asking on tv "what's in your wallet?"

Re:First suspect is Capital One

[Hognoxious]

String, or nothing!

Re:

[sheph]

Not fair working in two answers at once.

Re:

[sexconker]

If a compromised client can destabalize the whole system, that's not a problem with the client: it's a problem with the server which trusts the client way too much.

This has to do with the wallets and how they're generated and set up for multiple people to access them.

In the Bitcoin world, a wallet is little more than a private key. The network stores a record of how much Bitcoin your wallet has in it. If you want to spend money, you send a transaction signed with your wallet's private key. A miner mines a block containing your transaction, and then nodes on the network verify it, and the fact that you spent .0002 BTC on a 20-minute subscription to HD-Taints.com is

LOL!

[sexconker]

Ethereum is a scam coin. The entire concept is absurd. But even if you want to buy into the hype, don't mind the IPO bullshit, and you think "proof of stake" and "smart contracts" are somehow magical things, why would you EVER use a "multi-sig wallet"?

Bitcoin has a few simple fucking rules. Chief among them is to treat your wallet with Bitcoin in it like your regular wallet with cash in it.
You keep it secure yourself and you encrypt it and you don't hand it over to anyone else.

A multi-sig wallet is a wallet with access set up for X people, where transfers out of the wallet require Y people's (among the X) approval.
1 < Y <= X

You may as well hand cash to Bernie Madoff and tell him to only spend it when you both agree.

Ethereum persists because of 2 reasons:

1 - People are fucking retarded and think the convoluted bullshit layered on top of a block chain somehow makes Ethereum more useful than Bitcoin (it doesn't), or more trustworthy (it doesn't).

2 - People want to make a profit using consumer GPUs and can't with Bitcoin, so they're grinding away on Ethereum. Once someone slaps together an ASIC with a bunch of memory to mine Ethereum, Ethereum will tank (even more so than it has recently) as all the small-time miners leave. All the big-time miners (those paying for ASICs and running on free power / the giant farms in China) will stay with Bitcoin.

From Parity's web page:

Tested from Day One

Making the most reliable and resilient software able to perform with excellence throughout deployments as diverse as teraflop financial servers and door handles is no task for the faint hearted. Our software is unit-tested from, quite literally, day one. From RLP and the Trie to the network subsystem, we aim for our unit tests to cover 100% of critical logic.
In Consensus

We pride ourselves on passing all 1,000+ consensus tests in the client consensus suite. Written according to the Yellow Paper specification and designed with the foreknowledge of the exact protocol we will need to implement, Parity achieves full consensus without pulling any punches on code design and clarity, enabling us to maintain an agile, fast-paced development cycle.
100% Reviewed

Every single line in our codebase is fully reviewed by at least one expert developer (and routinely two or more) before being placed in the main repository. We strive for excellence; static code checking is used on every compile to cut out bad idioms. Style is enforced before any alteration may be made to the main repository. Continuous integration guarantees our codebase always compiles and tests always pass.

HO HO HO!

I wonder if Ethereum will fork to revert the stolen Ether. If so, it ruins any glimmer of hope it had at becoming a legitimate decentralized currency. If not, a lot of people will be exiting the game.

Bitcoin has an upcoming potential fork coming soon, too. It's mildly contentious, fairly interesting, but ultimately it will have little to no impact on the viability or trust of Bitcoin.

Re:

[Zontar The Mindless]

That's a consortium of various entities exploring applications for blockchains. The astute will note that the word "currency" occurs exactly nowhere on that page.

Re:

[sexconker]

You're an idiot. Blockchains are good. Ethereum, "smart contracts", and the people running that whole shit show are not.

Re:

[TeknoHog]

I wonder if Ethereum will fork to revert the stolen Ether. If so, it ruins any glimmer of hope it had at becoming a legitimate decentralized currency.

Ethereum has already forked [coindesk.com] due to similar circumstances in the past. Ethereum Classic (ETC) is the original unforked chain that continues to live on under a different management.

Re:

[sexconker]

Yeah, the DAO fork. Even then it was controversial. From your own link:

Since the hard fork, an additional 153 blocks have been successfully mined. However, as suggested earlier, the move may not be without continued controversy.

The decision to hard fork was initially met with resistance by some members of the ethereum community who were concerned it might undermine the perception that the blockchain was immutable, and that contract agreements, once settled to the blockchain, would be final.

With major banks and startups alike now building with ethereum, this is a concern that will likely be followed closely.

And that was over a year ago. Look at the price and trade volume of Ethereum now compared to then.
You don't fork due to theft and expect people to trust your currency or believe the bit about it being decentralized with no overriding authority. A fork means you either get on the winning team or you get fucked, and when the winning team is determined by a small handful of people (and corporations), what are you really gaining over fia

Re:

[Hognoxious]

Yeah, but they're usually people you know - half the directors if it's a business account, two of three siblings if it belongs to a senile parent.

Not a Singaporean ladyboy and some random teenager from Lavaturia.

Re:

[Wrath0fb0b]

Bitcoin has a few simple fucking rules. Chief among them is to treat your wallet with Bitcoin in it like your regular wallet with cash in it.
You keep it secure yourself and you encrypt it and you don't hand it over to anyone else.

That's fine for the money in my wallet, but I don't expect it's fine for the money in my bank account. If I trip and fall in a river and lose my wallet, I expect to still be able to access my bank account. If my house burns down, I expect to still be able to access my bank account.

Availability is a fundamental security requirement.

Re:

[sexconker]

Bitcoin has a few simple fucking rules. Chief among them is to treat your wallet with Bitcoin in it like your regular wallet with cash in it.
You keep it secure yourself and you encrypt it and you don't hand it over to anyone else.

That's fine for the money in my wallet, but I don't expect it's fine for the money in my bank account. If I trip and fall in a river and lose my wallet, I expect to still be able to access my bank account. If my house burns down, I expect to still be able to access my bank account.

Availability is a fundamental security requirement.

And you can have a bank store your wallet in a safety deposit box for you. You can have Dropbox or Google or a public FTP store a copy of your wallet for you.
The concept is pretty much perfect. Treat it like cash and protect it like cash. The neat thing about it is that you're not beholden to anyone, even if they're protecting your wallet for you. Since you can duplicate your wallet, and the people holding your wallet can't access it (because you're encrypting it), then you're golden. All you need to s

Insufficient...

[dohzer]

Insufficient decimal points for accurate evaluation of worth.

Want security in your money, and elections?

[fustakrakich]

Use paper. It's still the best, most reliable medium ever devised.

Computers are not ready for prime time. They are too frail.

Re:

[The123king]

Modern day computers can't be trusted. It's too easy nowadays to make shit up using them.

Decayed, Not Stolen

[Scarletdown]

The Etherium was not stolen. It just changed via radioactive decay. It turned into Felonium, the criminal element.

Re:

[wasteoid]

+1 Funny

Where are my mod points when i need them.

*sigh*

[The123king]

If you invest your real money (that string of numbers that's backed by the government) on a cryptocurrency ( a string of numbers backed by... who?) you deserve to be robbed. I'll be sat here with the popcorn when the whole cryptocurrency bubble bursts.

Re:

[Rockoon]

The "backed by government" is an important facet of a currency.

When Germany joined the Eurozone, few Germans switched to using the Euro. It wasn't until the German government began requiring that Euro be used to pay taxes that the population switched.

Re:

[The123king]

Exactly my point