32% of the assets were stolen from Satoshi Pie

According to the team of cryptocurrency fund, $7 000 000 were withdrawm by the unknown within an hour
21 July 2017   5836
Ethereum

Open-source blockchain-based distributed computing platform featuring smart contract functionality, which facilitates online contractual agreements.

Yesterday, on July 19, due to the vulnerability in the Ethereum wallet Parity, about 32.4% of the fund's assets or about $ 7 million were withdrawn by the unknowns from Satoshi Pie. Representatives of Satoshi Fund and the managers of the Satoshi Pie reported about it.

The report says that most of the funds were withdrawn within an hour. The project team managed to withdraw the remaining ones to a new, controlled wallet. During the course of events it became known that the attack was carried out by the White Hats Group (WHG). Also, according to the representatives of Satoshi Fund and Satoshi Pie, they are currently waiting for a refund in a new contract (without vulnerabilities), according to the WHG statement on Reddit.

As representatives of Satoshi Fund and Satoshi Pie assure, the damage is not critical and the fund will continue its activity, however its operating mode will be slightly changed. So, I / O operations will be processed once a week. Also, there will be a limit of one transaction for the deposit and withdrawal of funds at 10 BTC.

In addition, Satoshi Fund and Satoshi Pie project teams will consider moving all funds in the Ethereum ecosystem to Zeppelin smart contracts. Also in the coming days new version of Satoshi Pie whitepaper will be published.

English version of the team's message is also available.

This is not a only loss of funds, caused by the Parity hack. Such project as Edgeless Casino and Aeternity lost their money too.

Constantinople to be Postponed

Ethereum's hardfork will be late due to critical vulnerability found
16 January 2019   196

A scheduled upgrade of the Ethereum network called Constantinople was postponed indefinitely after a critical vulnerability was discovered in one of the improvements, CoinDesk reports.

This is a vulnerability in EIP-1283, which, as identified by the audit company SmartSecurity smart contracts, gave hackers the opportunity to steal user funds.

During a video conference on Tuesday with the participation of Ethereum developers and other clients and projects working on the network, it was decided to temporarily postpone the activation of the hard forks.

In particular, Vitaly Buterin, developers Hudson Jameson, Nick Johnson and Evan van Ness, as well as release manager of Parity Afri Shoedon took part in the meeting. Discussing the revealed vulnerability, they agreed that it would be impossible to eliminate it before the appointed time for hardfork (around 04:00 UTC on January 17).

A vulnerability, called a reentrancy attack, allows an attacker to repeatedly enter the same function and infinitely withdraw funds.

Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.
 

Joanes Espanol

CTO, blockchain analytics firm Amberdata

According to him, this is a lot like the vulnerabilities that were discovered in The DAO in the summer of 2016.

Representatives of ChainSecurity also noted that up to the Constantinople hard fork, data storage on the network cost 5,000 units of gas, which exceeds the 2,300 gas usually needed to call the “transfer” and “send” functions. After the upgrade, “dirty” storage operations will cost 200 units of gas, and an attacking contract can use 2,300 gas to successfully manipulate the variables of vulnerable contracts.

New date of hardfork not yet determined.