Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Feb 27 2020 15:09
    ordian labeled #11527
  • Feb 27 2020 15:09
    ordian opened #11527
  • Feb 27 2020 15:09
    ordian labeled #11527
  • Feb 27 2020 14:57
    niklasad1 closed #11508
  • Feb 27 2020 14:57
    niklasad1 commented #11508
  • Feb 27 2020 14:56
    niklasad1 labeled #11508
  • Feb 27 2020 14:38

    ordian on ao-github-actions

    initial github actions (compare)

  • Feb 27 2020 13:07
    s3krit synchronize #11525
  • Feb 27 2020 13:07

    s3krit on mp-de-parityify

    sed magic find . -type f -exec… (compare)

  • Feb 27 2020 12:57
    ordian labeled #11514
  • Feb 27 2020 12:57
    ordian unlabeled #11514
  • Feb 27 2020 12:56

    ordian on perf

    (compare)

  • Feb 27 2020 12:56

    ordian on master

    Faster kill_garbage (#11514) *… (compare)

  • Feb 27 2020 12:56
    ordian closed #11514
  • Feb 27 2020 11:22

    ordian on na-engine-signer-dont-use-msg-only-zeroes

    (compare)

  • Feb 27 2020 11:22

    ordian on master

    [EngineSigner]: don't sign mess… (compare)

  • Feb 27 2020 11:22
    ordian closed #11524
  • Feb 27 2020 11:22
    ordian closed #11521
  • Feb 27 2020 10:58
    niklasad1 synchronize #11524
  • Feb 27 2020 10:58

    niklasad1 on na-engine-signer-dont-use-msg-only-zeroes

    forgot formatting change (compare)

KurtKnudsen
@KurtKnudsen
Besides etherscan saying so?
Jordan Earls
@Earlz
What was the original purpose of the delegatecall function in the fallback function? I'm not clear why that is even necessary
Micah Zoltu
@MicahZoltu
Likely to reduce the upload costs.
Jorge Izquierdo
@izqui
@Earlz that claim about delegatecall is incorrect afaik. You cannot delegatecall to an internal function, the problem here is that initMultiowned is an external function it is delegatecalled to
try this snipped, it will fail because a delegatecall fails for going out of gas
contract Test {
    function a() internal {}

    function () {
        require(address(this).delegatecall(msg.data));
    }
}
a() is never called externally (neither from a external address nor from a smart contract external call, even if itself)
Jordan Earls
@Earlz
Well I mean shouldn't this tx end in error since initWallet is internal? https://etherscan.io/tx/0x7ccab31c96aa35022e516ef10c4df8b9b1e3af103eb2f4c94e1d54f8987eb37f
Santiago Palladino
@spalladino
initWallet is not marked as internal, hence the issue
Jorge Izquierdo
@izqui
all functions by default are public
Jordan Earls
@Earlz
Wait, does Solidity default to public? The documentation is misleading in that case
Jorge Izquierdo
@izqui
where is it misleading?
Santiago Palladino
@spalladino

http://solidity.readthedocs.io/en/develop/contracts.html#visibility-and-getters

Functions can be specified as being external, public, internal or private, where the default is public

Jordan Earls
@Earlz
yea, I see that now. I was thinking of state variables
Jorge Izquierdo
@izqui
i don't think it is a very good idea tho (a debate will probably start now)
Jordan Earls
@Earlz
heh I won't touch that topic, but I'd definitely say forgetting something should result in a more secure configuration rather than less so
KurtKnudsen
@KurtKnudsen

Note: The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.

The White Hat account currently holding the rescued funds is https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a.

If you hold a multisig contract that was drained, please be patient. They will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and will return your funds to you there.

According to etherscan.io
Jordan Earls
@Earlz
This is crazy that such an obvious (well, hindsight is 20/20 but still) flaw made it past who knows how many reviews by very experienced solidity devs
Mo Balaa
@thebalaa
@Earlz ever heard of the DAO?
public should not be default
just like payable is no longer default
Jordan Earls
@Earlz
oh yea, the DAO was not so obvious, it required reentrancy. This though seems like a solidity design flaw making insecure code very easy to write for people not in the know
Follow up question: why does the contract here not list "initWallet" in it's ABI JSON file? I assume that led to the bug being even harder to spot https://etherscan.io/address/0x4d6eb94205ed1ff9d0a20bfaaec2e8c196cf0908#code
Michael Bauer
@TripleSpeeder
@Earlz that's a good question
Michael Bauer
@TripleSpeeder
No Shit? Both are whitehats?
cadrem
@cadrem
idc, could be a misunderstanding on Andrews side
idk
Michael Bauer
@TripleSpeeder
This would be huge, but hard to believe.
Michael Bauer
@TripleSpeeder
Fix committed on github: paritytech/parity@e06a1e8
Jordan Earls
@Earlz
No regression test to ensure it can't happen due to code changes in the future?
Alex Sunnarborg
@alexsunnarborg_twitter
Hudson Jameson
@Souptacular

@gavofyork

there is an effort by the foundation underway to secure funds in other wallets to prevent any further compromises; they will make an announcement in their own time.

That previous statement by Gav is inaccurate. The Ethereum Foundation is not associated with the White Hat Group and was not involved in securing funds. That is the White Hat Group.

If anyone who is associated with the Ethereum Foundation assisted in understanding the vulnerability that is on their own.
Dave Appleton
@DaveAppleton
It looks like there were copycat attacks later
Micah Zoltu
@MicahZoltu
@DaveAppleton Of significance?
Dave Appleton
@DaveAppleton
Oleksii Matiiasevych
@lastperson
this was me
Priyabrata Dash
@bobquest33
??
Oleksii Matiiasevych
@lastperson
this was me, helping out to white hat group
Priyabrata Dash
@bobquest33
ohh ok
you are great
Jackson Palmer
@ummjackson
who are these white hats?