[Updates] Satoshi•Pie Ethereum multisig has been hacked

@hipster · 2017-07-19 20:52 · ethereum

In this the post, we will keep you updated on the incident.

Contract address : 0xD0f706bF4738732145344Dc407d36b88859C3349

Incident: Breach in standard Parity multisig contract

23:02 PM local time 19 July 2017 Has been withdrawn to unknown destination all ethers and all tokens except AIR and ANT. Working on withdrawing MYS.

23:10 PM local time According to Etherscan this hack was likely rescued by White hats

23:38 PM local time Current estimated impact: $7 641 533 as of last clearance round

00:06 AM local time 20 July 2017 At the moment investment process has been stopped because Ethereum blockchain software is under attack. SPIES tokens are safe (issued by BitShares)

00:12 AM local time Currently,, address MultisigExploit-WhiteHat sending transactions to (probably) new multisig contracts

00:52 AM local time Estimation of vulnerable code based on contract version where White hats are sending values.

8 lines updated

01:00 AM local time Parity Blog Published new version of contract in Parity Github PR.

UPDATE (20/07/17, 00:26 CEST): Future multi-sig wallets created by versions of Parity are secure. Fix in the code is https://github.com/paritytech/parity/pull/6103 and the newly registered code is https://etherscan.io/tx/0x5f0846ccef8946d47f85715b7eea8fb69d3a9b9ef2d2b8abcf83983fb8d94f5f.

11:52 AM local time We are waiting for the the annnouncement by White Hats Group. 2 scenarios: 1. If they send funds back losses will be 0.8% of Satoshi•Pie (MYST token) 2. If not losses will be 39.2% of Satoshi•Pie (all ETH and tokens except ANT and AIR)

According to our intuition, the 1 scenario is likely to happen but we cannot predict the time. We are starting to process yesterday deposits and withdrawals as they should happen before incident timestamp Jul-19-2017 06:34:46 PM +UTC.

02:44 PM local time eth-parity-breach-satoshipie-estimation

Damage valuation as of current valuation round: eth-parity-breach-satoshipie-estimation-details

04:03 PM local time Official statement by (Satoshi•Fund) and Fund managers (to be published in all official channels)

Working on vulnerability in Etheruem multisig contract

Yesterday in Jul-19-2017 06:34:46 PM first transaction hit our multisig Satoshi•Pie contract. The majority of funds was siphoned in 2 minutes (all ETH) and all ERC20 tokens except ANT, AIR, and MYST) in 1 hour. The breach led to not identified accounts. We reacted in less than 2 hours and successfully use exploit to drain remaining tokens ANT and AIR to address under our control. MYST attempts were unsuccessful. The history can be audited using Etherscan. Incident Log can be found in English and Russian

In parallel become known that withdrawn has been done by White Hats Group. Now we are waiting for refund according to this statement of WHG on Reddit. After fast investigation become clear that damage is not existential and we are able to continue operations. 2 hours ago we processed yesterday deposits and withdrawals that anyway should happen before incident timestamp.

Our strategy is the following:

  1. We are going to continue to provide best in breed blockchain asset management service.
  2. We are changing valuation cycle from 24 hours to 1 week for Satoshi•Pie product.
  3. That means that since now all withdrawals and deposits will be possible once in a week. If recovery will happen earlier we will let to withdraw on a daily basis for everybody during this transmission week.
  4. We are implementing a hard limit on deposits and withdrawals at 10 BTC for one transaction. Fewer transactions should go through the market.
  5. We consider moving Ethereum holdings (if recovered) to Zeppelin smart contract framework.
  6. If not recovered by White Hats Group in 1 week we will provide us a path for alternative recovery strategies.
  7. We are going to publish bug bounty program.

Thank you that you are with us. For those who are not happy with our service please be patient. You will be able to withdraw all your funds according to our terms. The new version of Satoshi•Pie white paper will be published with updates soon.

00:16 AM local time 22 July 2017 Starting to audit calculations based on this announcement

01:00 PM local time 22 July 2017 We confirmed to WHG that setting parameters for deployed contracts are valid.

Now we are waiting until WHG get enough evidence from a community that all calculations are correct before deploying new contracts.

00:16 PM local time 23 July 2017 The new contract deployed by WHG has been verified

05:18 PM local time 25 July 2017 All values has been returned under SatoshiPie control. The new contract. Until full security audit will not be finished in order to reduce risks some part of holdings will be under direct control of fund managers using this accounts: - 0x3AF5f67d0762B55EDDaEd71A5045D3f316Ee8b37 - 0x80BC9035Cf978f7A8D0Fd9FB39e131106E87B225 - 0x00073103C819211EF56D0A8ba7f71c11a84Aa55f

Версия лога на русском by @litvintech на Голосе

#ethereum #parity #hack #satoshifund #satoshipie
Payout: 0.000 HBD
Votes: 70
More interactions (upvote, reblog, reply) coming soon.