Ethereum, a cryptocurrency and platform for decentralized apps, has been steadily gaining mainstream attention. It was only a matter of time before dedicated hackers started working it in earnest.
On Wednesday, a hacker allegedly made off with more than $30 million worth of the cryptocurrency, just two days after an alleged hacker stole $7.4 million.
According to a post by Parity founder Gavin Wood in the official chat channel for Parity, an ethereum client, a "critical" vulnerability in Parity led to at least three accounts being compromised by a hacker for a total loss of $31,725,019 USD worth of ether. Specifically, Wood wrote, the vulnerability affected the contract used to create multi-signature ethereum wallets in Parity 1.5, the latest release. These wallets allow several people to control private cryptographic keys that let them move ethereum out of the wallet if a majority of the key holders sign off on the transaction. The Parity team later published a blog post alerting users to the vulnerability.,
"THIS IS NOT A DRILL," Wood wrote in the Parity chat channel. "[If] you have a parity-based multisig, move your funds to a secure address ASAP."
After the hack, there was an attempt by "whitehats at the foundation" to secure the lost funds, Wood wrote. (Wood was presumably referring to the Ethereum Foundation, which directs protocol development. He did not respond to a request for comment in time for publication.) There are ongoing efforts to secure funds in other potentially vulnerable wallets, Wood wrote, but those folks "will make an announcement in their own time."
In other words, there may be other wallets affected by the hack than the three cited by Wood, but it's not yet clear which were cleaned out by thieves, and which had their funds funneled out by good-guy hackers who may return them later.
"Many more [wallets] are affected," Manuel Araoz, co-founder of ethereum smart contract development firm Zeppelin Solutions, who was one of the first to publicize the hack, wrote me in an email. However, he continued, "we still don't know if [it's] whitehat or blackhat."
On Reddit, one user wrote: "Well, there goes all 74 ether that I had. First transaction was an hour ago while I was at lunch. Not sure I could have stopped it if I had had a chance." However, another user cautioned that it may have been a whitehat hacker moving her funds out of the compromised wallet, and she may yet be able to retrieve them.
As for a fix, Wood wrote in the Parity chat that the team will be releasing a fix "ASAP," but in the meantime advised users with multi-signature wallets created with Parity to move their funds to a secure address.
The alleged hack would be one of the largest in ethereum's history, and brings to mind the infamous DAO hack of 2015. At that time, a hacker exploited a contract vulnerability to steal $53 million worth of the currency. As a solution, developers split ethereum into two versions in order to roll back the stolen funds—it was a brazen move, and drew widespread condemnation at the time.
Now, it seems like these sorts of hacks are becoming a weekly event.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.
Update: This article was updated to include a blog post from Parity Technologies announcing the vulnerability.