2021 Fillmore Street #1128

}

24/7 solutions

Top 10 Cloud Providers

Technical Analysis of the $31 Million Dollar Ethereum Hack

Here’s an interesting analysis of the $31 Million Ethereum Hack. http://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce From a technical standpoint, it appears as though the software developers who built the Parity wallet put in a catch all function that enables unknown functions that are payable, that send you Ether, to default to depositing the Ether. function() payable { //msg.value is […]

Here’s an interesting analysis of the $31 Million Ethereum Hack.
http://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-9e5dc29e33ce

Ethereum Theft
From a technical standpoint, it appears as though the software developers who built the Parity wallet put in a catch all function that enables unknown functions that are payable, that send you Ether, to default to depositing the Ether.

function() payable {
  //msg.value is the amount of Ether
  if (msg.value > 0) {
    Deposit(msg.sender, msg.value);
  }
  throw;
}


In the Parity wallet, the developers took this functionality a step further, and wrote code to state if the value of the Ether is equal to 0 and the length of the msg is greater than zero, then delegate the call to the Wallet.

function() payable {
  //msg.value is the amount of Ether
  if (msg.value > 0) {
    Deposit(msg.sender, msg.value);
  }
  else if (msg.data.length > 0) {
    //if the msg data has data and msg.value is equal to 0, then delegate
    //the call to the Wallet Library's version of this function.
    _walletLibrary.delegatecall(msg.data);
  }
}


So what happened?
The thieves understood the vulnerability vector. They invoked the catch all function with the initWallet function. This call was not implemented in the contract, but was implemented in the wallet.
The initWallet function looks like the following:

function initWallet(address[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][] _owners, uint _required, uint _daylimit) {
  initDaylimit(_daylimit);
  initMultiowned(_owners, _required);
}


The key piece here is the _owners. They passed in the address of the owners to the wallet. In effect, the thieves initialized the wallet so they became the owners. They drained the tokens from the wallet, and said bye bye.

Joel Garcia
Joel Garcia

Joel Garcia has been building AllCode since 2015. He’s an innovative, hands-on executive with a proven record of designing, developing, and operating Software-as-a-Service (SaaS), mobile, and desktop solutions. Joel has expertise in HealthTech, VoIP, and cloud-based solutions. Joel has experience scaling multiple start-ups for successful exits to IMS Health and Golden Gate Capital, as well as working at mature, industry-leading software companies. He’s held executive engineering positions in San Francisco at TidalWave, LittleCast, Self Health Network, LiveVox acquired by Golden Gate Capital, and Med-Vantage acquired by IMS Health.

Related Articles

What is Tigera?

What is Tigera?

An AWS Advanced Technology Partner, Tigera delivers Calico and Calico Enterprise for security and networking on EKS, both of which are AWS Containers Competency certified.

Vezt

Vezt

Blockchain technology has the potential to be a windfall for musicians, filmmakers, and video game developers. With the advent of new technology, the way we consume entertainment is changing. Vezt assists artists in distributing their tracks on digital channels and in promoting their work.

Top Platforms for NFTs: Polygon and Flow

Top Platforms for NFTs: Polygon and Flow

As blockchain technology continues to develop, we are seeing an increase in the number of platforms, languages, and applications. Your works of art and collectables can now be presented and traded in the form of non-fungible tokens (NFTs), which are a relatively new development.

Free AWS Services List

Download this FREE list of all 200+ AWS services and ensure that you're using the optimal services for your use case to enhance efficiency and save money!

Free AWS Business Continuity Plan Template

Make sure you have the proper business continuity plan explicitly for your AWS infrastructure. Our team of experts built this template using AWS Best Practices so you can ensure it's built to scale! 

Free Cloud Migration Checklist

Without the proper cloud migration strategy, you risk losing time and money. Ensure that your migration process is running smoothly with our FREE cloud migration checklist.

Free AWS Services List

You might be optimizing with the wrong AWS services. Download this FREE list of all 200+ AWS services and ensure that you're using the optimal services for your use case to enhance efficiency and save money!

Download your FREE AWS Business Continuity Plan Template
Download Free 200+ AWS Services Checklist
Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.