Consequences of Parity hack

Experts estimate giant volume of losses, a lot of Ethereum-based projects were hacked
21 July 2017   2589
Ethereum

Open-source blockchain-based distributed computing platform featuring smart contract functionality, which facilitates online contractual agreements.

Approx 9.30 am (Pacific Time) on July 19, 2017, a vulnerability was discovered. It could allow the hackers to drain the funds of users whoe used "multi-signature" Parity wallet. Multisig wallets requires multiple private keys for activation. Version of 1.5 or later was affected.

As a result, big amount of different projects were attacked. Among them:

Users were able to locate 3 wallets, where founds were send. 

  • White Hat Group’s Wallet
  • First Alleged Attacker’s Wallet
  • Second Alleged Attacker’s Wallet

White Hat Group also noted that they will return the funds. This info was posted on Reddit.  

The issue was caused by a bug in affected Parity's code. It allowed an affected wallet’s initialization function to be recalled after it was created. This allowed for a hacker to call the code after and claim that they own the account themself. Ethereum community members called that bug "the most obvious bug in the history of ethereum”; other noted that  vulnerability went undiscovered for a half of year. At approximately 1:30 p.m. Pacific Time, Parity founder Gavin Wood committed a fix to the Parity GitHub that he believes should alleviate the vulnerability. Also, there are some interesting comments at GitHub too, for example, "Who is auditing this code that ends up affecting $100 millions worth of currency ? :/" by admazolla.

At the moment of this article written, it is still unclear about  who the malicious attacker is or whether the remaining victims will ever recover their funds. Also, new victims can still appear. According to EtherScan, malicious account send the stolen funds to other wallets. Maybe, hackers hope to obfuscate its activities in this way. 

Constantinople Hardfork Code to be Included in Geth

Go-ethereum (Geth) v1.8.20 assumes that hardfork in the main Ethereum network will take place at block 7,080,000 (approx. between 14th - 19th Jan 2019)
13 December 2018   106

Developers of Geth, one of the most popular clients of Ethereum, presented a new version of the software with the included code of the upcoming hard fork Constantinople.

Go-ethereum (Geth) v1.8.20 assumes that hardfork in the main Ethereum network will take place at block 7,080,000.

Consensus regarding the block number for activating hard forks was reached last week during a regular video conference of leading Ethereum developers. According to Afri Shedona, release manager of another popular client of the network Parity, a block of 7,080,000 will be mined between January 14 and 18, 2019.

At the same time, Ethereum Foundation’s head of security noted that the new version of the go-ethereum client would contain a kind of “emergency switch” that would postpone the upgrade if something went wrong.

Originally scheduled for November, the Constantinople contains a number of changes and code optimizations designed to ease the transition to the Proof-of-Stake algorithm. In particular, they include the transfer by 18 months of the so-called “bomb of complexity”, which contributes to timely upgrades, and also suggests a decrease in the reward to miners from 3 to 2 ETH for the mined block.