About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An In-Depth Look at the Parity Multisig Bug- 860

Hacking DistributedPosted 3 Years Ago
  • Parity had wallets for cryptocurrency These had to be deployed by users, where their money was inside of it.
  • The wallet had two contracts: Wallet and WalletLibrary. If the withdraw() function was not called, then the call was sent to the WalletLibrary code. What's the problem here?
  • Any function within WalletLibrary can be called within the context of the Wallet. In particular, the function initWallet() could be called to change the owner of a contract through this arbitrary delegated call. Yikes!
  • Since the attacker is the owner of the wallet, they can drain all of the funds from the wallet. Wow, that's pretty horrible. Why did this happen?
  • All functions are default external and public. If the contract would checked for double initialization or put this function as internal, then this would not have been possible. It is believed that the authors thought that since the function had NO modifiers for the outside visibility, they were safe.
  • A white-hat hacker identified and drained all remaining wallets to give back to the rightful others. Blockchain is great because it's permanent. But, humans make mistakes, which lead to these issues.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed