If the theft of over $7 million in ethereum this week during an ICO wasn’t enough to cause a headache for advocates of the cryptocurrency, only two days later, another attack has allegedly resulted in the loss of at least $30 million.
Ethereum, also known as ether (ETH), is a kind of cryptocurrency which was recently part of an Initial Coin Offering (ICO) over at CoinDash.
The virtual currency was intended for use by investors to fund apps and services on the trading platform, but at the time the ICO was launched, a hacker allegedly compromised the CoinDash website to make off with a minimum of $7.4 million.
The attack took only minutes and the switch of a wallet address posted on the CoinDash website to one the alleged perpetrator controlled, but the damage was done — leaving investors millions out of pocket and CoinDash in serious trouble.
Ethereum traders may still be reeling from this incident, but less than 48 hours later, another alleged attack has taken place.
According to coding service Parity , a vulnerability exists in the latest 1.5 version and later of its software which acts as the backbone of cryptocurrency wallets.
The critical flaw, discovered in a specific multi-sig contract called wallet.sol, has resulted in at least three wallets being compromised and the loss of approximately $31 million dollars’ worth of ethereum.
If you have a multi-sig wallet, you should check to see if your stash of ethereum is still there.
However, if the wallet comes up empty, not all may be lost — as white hat researchers from Parity have attempted to mitigate the issue by draining every vulnerable wallet they could find into temporary holding wallets which are not vulnerable to the exploit.
So far, 377,000 in ethereum has been recovered in this way, amounting to over $77 million at the time of writing.
One of the victims, cryptocurrency commerce platform Swarm City, has acknowledged the company is one of the victims. In a statement, Swarm City said 44,055 ETH has been lost, which equates to approximately $9 million.
Edgeless Casino has lost roughly $5.6 million, and Aeternity has lost close to $17 million.
Ethereum traders on Reddit have suggested the attack was made possible through nothing more than a trivial programming error, rather than a sophisticated technique or security workaround.
“If you hold a multisig contract that was drained, please be patient,” the researchers posted on Etherscan . “They will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and will return your funds to you there.”
Parity warned users of the issue in a security advisory , which has now been updated to show future editions of the wallet software have been patched against the bug and likely will be released soon.