Just days after a hacker managed to steal more than $7 million in digital currency using a simple link switch on a website, a second hacker group grabbed even more in a separate incident involving a vulnerability in a digital wallet client. The incident took place between 3 p.m. and 4 p.m. (ET) on Wednesday and affected v1.5 and later versions of Parity Wallet. The problem has since been fixed, but not before hackers stole more than $33 million in Ether.
Digital currency such as Bitcoin and Ether are typically transferred across the internet from digital wallet to wallet using special links. A multi-signature wallet requires the use of multiple keys to authorize a digital currency transaction that requires the authorization of multiple individuals. Ethereum creator Gavin Wood developed Parity Wallet, which can support numerous contracts that require multi-signature transactions in one application.
Parity said on Wednesday that affected users consist of any multi-signature wallet created within Parity Wallet prior to 5:14 p.m. (ET) on Monday. All users are encouraged to move assets contained in those wallets to a secure address. So far, the company has not stated who was affected by the vulnerability but several entities have come forth to publicly disclose their loss stemming from the hack, one of which is peer-to-peer sharing economy Swarm City.
“Bernd Lapp, Business Hive leader noticed that the entire contents of the Swarm City ETH multi-sig wallet had been drained. Bernd checked the receiving address and noticed a few very large transactions had hit the same wallet. We alerted the Ethereum Foundation and multiple developer groups immediately,” states Swarm City.
After an investigation, Swarm City determined that hackers exploited a flaw residing within the code handling multi-signature transactions in Parity Wallet. Overall, the hackers stole more than 153,000 Ether coins from multiple Ethereum-based projects such as Aeternity and Edgeless Casino. Swarm City said it also lost 44,055 Ether coins, which equals out to just over $10 million in cash at the current exchange rate.
But the total Ether depletion could have been a lot worse. Swift City said that a whitelist hacker group used the same exploit to drain many multi-signature wallets to keep the digital currency out of the hackers’ hands. This group managed to save more than 377,000 Ether coins ($86 million) as shown in this Etherscan of their digital wallet.
“White Hat Group(s) were made aware of a vulnerability in a specific version of a commonly used multi-sig contract,” a public note states. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multi-sig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”
The wallet of the hackers behind the Ether heist can be found here. The account still has around $19 million worth of Ether, which can only be spent on the Ethereum platform. Those who lost Ether in Wednesday’s heist might want to check with the white hat address to see if the “good guys” saved their coins.