Parity Technologies, creators of the Parity Browser for interacting with the Ethereum network have issued a critical security alert. The browser’s Ethereum-based Parity Wallet has been hacked and compromised due to a vulnerability which has been found in Parity Wallet’s variant of its standard multi-sig contract. Affected users are any users with assets in a multi-sig wallet created in Parity Wallet prior to 19/07/17 23:14:56 CEST.
A hacker has reportedly stolen $32m (153k ETH) from three multisig wallets.
Malicious actors exploited a flaw in the Parity Multisig code, which allowed a known party to steal over 153,000 ETH from several projects including Edgeless Casino, Aeternity, and Swarm City.
A swift response from a white hat hacker group used the same exploit to drain many other project’s Parity multisig wallets, in order to protect them from theft. This group was able to save over 377,000 ETH.
Whitehats saved over 950 people $170 Million in ETH today. That is awe inspiring. #Ethereum community owes them a large amount of gratitude.
— Swarm City (@SwarmCityDApp) July 20, 2017
It’s important to note:
1. The newer multisig versions of the Parity multisig wallet has a vulnerability. This is ONLY FOR MULTISIG WALLETS. Specifically created in Parity Wallet > 1.5, and released January 19, 2017
2. If you do have funds in the multisig contract: carefully move your funds to a new account ASAP. If your funds are no longer in your multisig, please check the Black hat and White hat addresses. They might have been saved by the White hat group.
3. The vulnerability is in Parity’s “enhanced” multi-sig contract.
4. DO NOT fall for phishing attacks that opportunists will undoubtedly use to steal funds from crypto holders. Remember, do not click on links you don’t trust, and if your funds are in single user wallets, they are not at risk from the above-mentioned Parity multisig wallet exploit.
PARITY UPDATE: (20/07/17, 00:26 CEST): Future multi-sig wallets created by versions of Parity are secure (Fix in the code is https://github.com/paritytech/parity/pull/6103 and the newly registered code is https://etherscan.io/tx/0x5f0846ccef8946d47f85715b7eea8fb69d3a9b9ef2d2b8abcf83983fb8d94f5f).