Open-source blockchain-based distributed computing platform featuring smart contract functionality, which facilitates online contractual agreements.
Approx 9.30 am (Pacific Time) on July 19, 2017, a vulnerability was discovered. It could allow the hackers to drain the funds of users whoe used "multi-signature" Parity wallet. Multisig wallets requires multiple private keys for activation. Version of 1.5 or later was affected.
As a result, big amount of different projects were attacked. Among them:
Users were able to locate 3 wallets, where founds were send.
- White Hat Group’s Wallet
- First Alleged Attacker’s Wallet
- Second Alleged Attacker’s Wallet
White Hat Group also noted that they will return the funds. This info was posted on Reddit.
The issue was caused by a bug in affected Parity's code. It allowed an affected wallet’s initialization function to be recalled after it was created. This allowed for a hacker to call the code after and claim that they own the account themself. Ethereum community members called that bug "the most obvious bug in the history of ethereum”; other noted that vulnerability went undiscovered for a half of year. At approximately 1:30 p.m. Pacific Time, Parity founder Gavin Wood committed a fix to the Parity GitHub that he believes should alleviate the vulnerability. Also, there are some interesting comments at GitHub too, for example, "Who is auditing this code that ends up affecting $100 millions worth of currency ? :/" by admazolla.
At the moment of this article written, it is still unclear about who the malicious attacker is or whether the remaining victims will ever recover their funds. Also, new victims can still appear. According to EtherScan, malicious account send the stolen funds to other wallets. Maybe, hackers hope to obfuscate its activities in this way.