Parity Unauthorized Withdrawals

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Parity

Parity created a complex multi-signature smart contract which had a public function enabling anyone to take claim over a wallet.

Because of the complexity, this was hidden in another part of the contract which was not easy to find. Parity had no formal audit, nor bug bounty program running.

Eventually, a hacker found the function and used it to commandeer funds of multiple projects. Other funds were saved by white hat hackers.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]

About Parity

"Several years ago Gavin Wood, Ethereum cofounder and CTO established EthCore, a non-profit organization that develops software for Ethereum infrastructure, which later changed its name to Parity Technologies. One of its products is Parity, an Ethereum client that provides a web interface for the underlying Ethereum node software. It allows the user to access the basic Ether and token wallet functions, and also to interact with smart-contracts deployed on the Ethereum Blockchain. The Parity wallet is designed to integrate seamlessly with all standard tokens as well as manage Ether transfers. It is compatible with Ubuntu, OSX, Docker, and Windows. The vast array of options offered by Parity wallet made it extremely popular in the crypto community."

"What if we no longer had to route our interactions through centralised services? What if data breaches were a remnant of an old flawed infrastructure? Each piece of Parity's technology is a step towards a society run on peer-to-peer networks instead of by a handful of corporations."

"Technology developed by a team of the world’s top blockchain engineers." "60+ developers across fifteen countries. A no-bullshit culture of getting stuff done." "In general, we treat security and consensus code extremely seriously at Parity."

"The original "Foundation" multi-sig wallet code was created and audited by the Ethereum Foundation's DEV team, Parity and others from the community. It is used extensively and underwent extensive peer review."

"On Wednesday 19th July, 2017 a bug found in the multi-signature wallet ("multi-sig") code used as part of Parity Wallet software was exploited by parties unknown." "Any user with assets in a multi-sig wallet created in Parity Wallet prior to 19/07/17 23:14:56 CEST" [should] "[i]mmediately move assets contained in the multi-sig wallet to a secure address."

"As reported by the startup, the issue is the result of a bug in a specific multi-signature contract known as wallet.sol., the attacker can take over the wallet immediately and absorb all the funds." "This attack is unique in both how long the bug has remain dormant, and also in how easy it is to actually utilize the exploit."

"Th[e initWallet] method is intended to initialize the wallet using the given array of signers, number required to confirm a transaction, and the limit per day allowed to be moved before requiring a confirmation. Note the lack of a visibility modifier on the function, which defaults it to public. Thus, anybody is allowed to call this function, and can freely set the parameters to whatever they like. To an attacker, they could set the ownership to their own address, and the day limit to be high enough to siphon out all of the funds in a single transaction."

"The wallet code for “Wallet.sol” is not the same code that is actually deployed when using the multi-sig wallet feature in Parity. In reality, the actual multi-sig wallet code that is deployed is inside a different repository, called “enhanced-wallet.sol”. It is this code that contains the vulnerability that we witnessed today, and is not present in the “contracts” repository, only linked to from the Parity wiki." "This chain of events meant that the actual number of eyes that have passed over the code has reduced by a significant portion."

"The code used in Parity Wallet is a modified form of the original multi-sig wallet code. It was restructured into a lightweight "stub" contract which is deployed to the network every time a wallet is created, together with a much heavier "library" contract, containing the majority of the wallet's logic and which is deployed only once. (By splitting the code in this way, deploying a wallet is substantially cheaper in terms of gas costs.) The bug was introduced during this restructuring."

"Around 153,000 tokens were taken by hackers, according to data from Etherscan. 44,055 tokens were stolen from commerce platform Swarm City. The theft was noticed at 12:30 p.m. ET on Wednesday, according to Swarm City communications officer Matthew Carano. The stolen tokens are worth around $32.6 million at today’s price for ether." "3 multi-sig wallets were exploited from of a total of 596 vulnerable multi-sig wallets (the rest were commandeered by the White Hat Group), which themselves are a tiny fraction of Parity accounts."

"According to Parity founder and CTO Gavin Wood, at least three ether addresses have been compromised as a result of the bug." “We alerted the Ethereum Foundation and multiple developer groups immediately. Together, we were able to determine that malicious actors had exploited a flaw in the Parity Multisig code, which allowed a known party to steal over 153,000 ether from several projects including Edgeless Casino, Aeternity, and Swarm City,” Carano said in a blog post.

"Multi-sig wallets created in Parity Wallet after 19/07/17 23:14:56 CEST are secure." "The fix is the equivalent of asking the bank not to let anybody (except the bank’s staff) make changes to your account."

Writing in the Parity Gitter channel, Wood said: "There is an effort by the foundation underway to secure funds in other wallets to prevent any further compromises; they will make an announcement in their own time." "Data suggests the issue was mitigated, however, as 377,000 ethers that were potentially vulnerable to the issue were recovered by white hat hackers." "A swift response from a whitehat hacker group used the same exploit to drain many other project’s parity multisig wallets, in order to protect them from theft. This group was able to save over 377,000 ETH. Unfortunately the 44,055 ETH that was in Swarm City’s wallet is gone." "The group says they will be returning the funds to accounts that have been drained and are using the DAO rescue donations for the gas to send the ether forward."

"While there is no fool-proof means of practically ensuring software contains no bugs, Parity Technologies is committed to minimizing the chances that its software contains exploits. In response to the present exploit we will refine our development processes and CI system."

"The first and biggest change will be to ensure that any alterations to the codebase that involve live contract code (which can be generally identified through .sol files) be reviewed by Solidity experts. At present the multi-sig wallet is the only Solidity code that is user-deployable and in wide use within Parity."

"Going forward, Parity will try to arrange a bug-bounty program. Unfortunately, since Parity is a small, minimally-funded start-up, we have not the resources to do this alone."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Parity Unauthorized Withdrawals
Date Event Description
July 20th, 2017 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $32,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

One of the key features that a successful multi-sig needs is simplicity, such that security can be certain. Having complexity on a multi-sig defeats the purpose.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  2. $32 million worth of digital currency ether stolen by hackers (Jul 27, 2021)
  3. Twitter icon (Jul 27, 2021)
  4. update wallet library modifiers · openethereum/parity-ethereum@6b0e4f9 · GitHub (Jul 27, 2021)
  5. "I Learn Blockchain"-XII. Ethereum Security Parity First Security Incident Vulnerability Analysis - Programmer Sought (Jul 27, 2021)
  6. $30 Million: Ether Reported Stolen Due to Parity Wallet Breach - CoinDesk (Jul 27, 2021)
  7. Parity Multisig Wallet Exploit Hits Swarm City Funds — Statement By The Swarm City Core Team | by Matthew Carano | Swarm City Times (Jul 27, 2021)
  8. Address 0xb3764761e297d6f121e79c32a65829cd1ddb4d32 | Etherscan (Jul 27, 2021)
  9. Address 0x1dba1131000664b884a1ba238464159892252d3a | Etherscan (Jul 27, 2021)
  10. Report: Hackers Stole $32 Million in Ethereum After a Parity Breach (Jul 27, 2021)
  11. On The Parity Multi Sig Wallet Attack (Jul 27, 2021)
  12. Ethereum's Parity Users Lose Millions in a Multi-Sig Hack – News Bitcoin News (Jul 27, 2021)
  13. Twitter icon (Jul 27, 2021)
  14. Parity Multisig Wallet Hacked, or How Come? (Jul 27, 2021)
  15. The Parity Wallet Hack Explained – OpenZeppelin blog (Jul 27, 2021)
  16. List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23, 2021)
  17. Twitter icon (Jun 23, 2021)
  18. Twitter icon (Jun 23, 2021)
  19. An In-Depth Look at the Parity Multisig Bug (Jun 23, 2021)
  20. 3 Famous Smart Contract Hacks You Should Know (Nov 3, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Parity_Unauthorized_Withdrawals&oldid=5043"