Ethereum Zero-day Exploit Found in Multisig Wallets

On Thursday, three companies that raised millions of dollars in ether tokens through initial coin offerings (ICOs) have had their wallets emptied by an unknown hacker exploiting a zero-day vulnerability.

In total, at least 150,000 ETH tokens valued at $31 million (USD) were stolen across three of the largest Ethereum wallets. The unknown hacker gained ownership of the multisig wallets after reinitializing them using the default behavior of a basic library used by Ethereum developers. Mere minutes after the theft, developers identified the vulnerability as originating in the Parity Wallet multisig smart contract system, and were able to prevent the hacker from using the exploit on a wider scale. Unfortunately, the tokens already stolen were deemed unrecoverable.

Swarm City, a decentralized internet commerce platform, has publically confirmed in a press release that it was one of the three victims of the theft, losing 44,055 ETH valued at $9.15 million (USD). They advised that anyone storing funds using Parity’s enhanced multisig contract system to move their funds to a new account. As the vulnerability only applies to this specific type of multisig wallets, owners of single-user wallets were never at any risk of theft.

Ethereum is an open-source blockchain-based distributed computing platform inspired by the bitcoin cryptocurrency. Computers hosting the Ethereum blockchain software become participating nodes in the distributed Ethereum Virtual Machine capable of trading ether tokens using programming scripts known as “smart contracts.” Transactions of ether tokens mediated by a given smart contract incur a cost in ether tokens based on the computational costs of implementing the smart contract.

By contrast, the basic value of a bitcoin is related to the hardware intensive task of “mining” cryptographic hashes in a process known as “proof-of-work.” One of the major criticisms of bitcoin is that the mining of cryptographic hashes consumes energy and computational resources without doing any socially useful work. In the Ethereum “proof-of-stake” model, the system chooses block creators at random from the nodes of the Ethereum network, favoring those nodes with higher concentrations of wealth.

 

(Visited 12 times, 1 visits today)
Dil Bole Oberoi