How A Simple One-Word Coding Error Let Hackers Steal Rs. 200 Crore From An Ethereum Wallet

 

Kids, this is why you pay attention in computer science class.

A simple, one-word error in the code of an ethereum wallet has allowed cyber criminals to make away with $30 million in the cryptocurrency. Smart contract coding company Parity yesterday issued a security alert, warning of a vulnerability in version 1.5 or later of its wallet software. The company asked customers to quickly move their money into other accounts, but by the time users could react, 150,000 ethers, worth over $30 million, had been stolen. The company later fixed the bug. Embarrassingly, all it had to do was add one word.

A wallet initiation method, called initMultiowned, had not been declared as “internal”, allowing hackers to access a function they shouldn’t have been able to. The offending line, shown in red in the code below, doesn’t have the word “internal” following the function; the line in green that fixed the bug, does.

Screen Shot 2017-07-21 at 6.32.57 PM

 

While the Parity engineering team is likely red-faced from what is possibly their worst ever day at work, at least their misery has company. There have been several successful Ethereum hacking attempts in the recent past — just last week, hackers had made away with $7 million (Rs. 42 crore) of Ethereum during an initial coin offering by simply changing the address of the wallet where people had been pooling in money. Last year, hackers had similarly stolen $50 million.

These security breaches, while worrying, are unlikely to sway Ethereum enthusiasts. Ehtereum is being touted as the next bitcoin, and is giving returns as such. At the beginning of the year, it was valued at $10; just six months later, it had jumped to $372, turning several people into overnight millionaires. It’s currently valued at $224, and seems unswayed by the bad press it’s receiving. Just last month, its price had briefly crashed to $10, but was soon back up and trading at normal levels.

And while the latest attack was bad — experts are calling it the second biggest cryptocurrency heist in history — it could’ve been a lot worse. As it turns out, a group of white hat hackers saw the heist as it was happening. They realized that they couldn’t prevent the hackers, so they did the next best thing. They themselves exploited the vulnerability, stealing $105 million or so that remained in the wallets so that the thieves couldn’t get to it. This white hat group says it intends to return the $105 million it’s stolen to their rightful owners.

Good guys, bad guys, and rudimentary coding mistakes — cryptocurrency wallets are currently the Wild West of the programming world.