В Ethereum-кошельке Parity обнаружена новая уязвимость

Discussion in 'Blockchain, Криптовалюты, смарт-контракты' started by Rebz, 9 Nov 2017.

  1. Rebz

    Rebz Banned

    Joined:
    8 Nov 2004
    Messages:
    4,052
    Likes Received:
    1,534
    Reputations:
    1,128
    Security Alert
    8 November 2017
    Severity: Critical

    Product affected: Parity Wallet (multi-sig wallets)

    Summary: A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.

    Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

    UPDATE: We very much regret that yesterday’s incident has caused a great deal of stress and confusion amongst our users and the community as a whole, especially with all the speculation surrounding the issue. We continue to investigate the situation and are exploring all possible implications and solutions. Blockchain and related technologies are a vanguard area of computer science. Our mission remains to build software to power the decentralised web.

    If you are concerned about whether your wallet has been affected please visit this website that we created to provide a list of affected accounts. We are in touch with users affected by the issue – in case you are affected and want to reach out, please contact us under [email protected].

    Following the fix for the original multi-sig vulnerability that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. Unfortunately, that code contained another vulnerability which was undiscovered at the time - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It is our current understanding that this vulnerability was triggered accidentally on 6th Nov 2017 02:33:47 PM +UTC and subsequently a user deleted the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable and funds frozen since their logic (any state-modifying function) was inside the library.

    All dependent multi-sig wallets that were deployed after 20th July functionally now look as follows:

    Code:
    contract Wallet {
        function () payable {
              Deposit(...)
        }
    }
    This means that currently no funds can be moved out of the multi-sig wallets.

    We are analysing the situation and will release an update with further details shortly.

    Источник: https://paritytech.io/blog/security-alert.html
    Проблема в гите: https://github.com/paritytech/parity/issues/6995
     
  2. Rebz

    Rebz Banned

    Joined:
    8 Nov 2004
    Messages:
    4,052
    Likes Received:
    1,534
    Reputations:
    1,128
    Руководство по безопасности Ethereum: "разморозить" Parity средства можно только путем хардфорка

    Глава службы по безопасности Ethereum Мартин Холст Свинде сказал:
    «К сожалению, нет способа воссоздать код без хардфорка. Любое решение, которое делает заблокированные средства доступными требует хардфорка».

    Это означает, что Ethereum должен будет подвергнуться аварийному обновлению, так же как переписывание блокчейна DAO, которое произошло в прошлом году, если он хочет, чтобы пользователи смогли вернуть потерянные миллионы.
     
  3. Rebz

    Rebz Banned

    Joined:
    8 Nov 2004
    Messages:
    4,052
    Likes Received:
    1,534
    Reputations:
    1,128
    Сообщение от Artem Kharlamov @banteg (телеграмм)
     
    crlf likes this.