Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Feb 27 2020 15:09
    ordian labeled #11527
  • Feb 27 2020 15:09
    ordian opened #11527
  • Feb 27 2020 15:09
    ordian labeled #11527
  • Feb 27 2020 14:57
    niklasad1 closed #11508
  • Feb 27 2020 14:57
    niklasad1 commented #11508
  • Feb 27 2020 14:56
    niklasad1 labeled #11508
  • Feb 27 2020 14:38

    ordian on ao-github-actions

    initial github actions (compare)

  • Feb 27 2020 13:07
    s3krit synchronize #11525
  • Feb 27 2020 13:07

    s3krit on mp-de-parityify

    sed magic find . -type f -exec… (compare)

  • Feb 27 2020 12:57
    ordian labeled #11514
  • Feb 27 2020 12:57
    ordian unlabeled #11514
  • Feb 27 2020 12:56

    ordian on perf

    (compare)

  • Feb 27 2020 12:56

    ordian on master

    Faster kill_garbage (#11514) *… (compare)

  • Feb 27 2020 12:56
    ordian closed #11514
  • Feb 27 2020 11:22

    ordian on na-engine-signer-dont-use-msg-only-zeroes

    (compare)

  • Feb 27 2020 11:22

    ordian on master

    [EngineSigner]: don't sign mess… (compare)

  • Feb 27 2020 11:22
    ordian closed #11524
  • Feb 27 2020 11:22
    ordian closed #11521
  • Feb 27 2020 10:58
    niklasad1 synchronize #11524
  • Feb 27 2020 10:58

    niklasad1 on na-engine-signer-dont-use-msg-only-zeroes

    forgot formatting change (compare)

Jordan Earls
@Earlz
Follow up question: why does the contract here not list "initWallet" in it's ABI JSON file? I assume that led to the bug being even harder to spot https://etherscan.io/address/0x4d6eb94205ed1ff9d0a20bfaaec2e8c196cf0908#code
Michael Bauer
@TripleSpeeder
@Earlz that's a good question
Michael Bauer
@TripleSpeeder
No Shit? Both are whitehats?
cadrem
@cadrem
idc, could be a misunderstanding on Andrews side
idk
Michael Bauer
@TripleSpeeder
This would be huge, but hard to believe.
Michael Bauer
@TripleSpeeder
Fix committed on github: paritytech/parity@e06a1e8
Jordan Earls
@Earlz
No regression test to ensure it can't happen due to code changes in the future?
Alex Sunnarborg
@alexsunnarborg_twitter
Hudson Jameson
@Souptacular

@gavofyork

there is an effort by the foundation underway to secure funds in other wallets to prevent any further compromises; they will make an announcement in their own time.

That previous statement by Gav is inaccurate. The Ethereum Foundation is not associated with the White Hat Group and was not involved in securing funds. That is the White Hat Group.

If anyone who is associated with the Ethereum Foundation assisted in understanding the vulnerability that is on their own.
Dave Appleton
@DaveAppleton
It looks like there were copycat attacks later
Micah Zoltu
@MicahZoltu
@DaveAppleton Of significance?
Dave Appleton
@DaveAppleton
Oleksii Matiiasevych
@lastperson
this was me
Priyabrata Dash
@bobquest33
??
Oleksii Matiiasevych
@lastperson
this was me, helping out to white hat group
Priyabrata Dash
@bobquest33
ohh ok
you are great
Jackson Palmer
@ummjackson
who are these white hats?
Micah Zoltu
@MicahZoltu
@ummjackson Random people on the internet that presumably want Ethereum to succeed long term or are bound by some form of moral code.
Jackson Palmer
@ummjackson
ok interesting... i heard they were potentially linked to the DAO white hats and wanted to verify if that is the case or not
Micah Zoltu
@MicahZoltu
They might be the same or similar set of people.
None the less, those people are not bound by any formal organization that I know of.
Dave Appleton
@DaveAppleton
@lastperson thank you. Will PM you..
Micah Zoltu
@MicahZoltu
@lastperson Hmm, it seems you also liquidated my account. :)
Oleksii Matiiasevych
@lastperson
I made a handy script for that)
Micah Zoltu
@MicahZoltu
Let me know when you are in a position to let people recover. :)
Oleksii Matiiasevych
@lastperson
as TWHG have a plan (or it seems so), to redeploy contracts for all the holders, and fund it all back, I guess I will just pass all the ETH to them, so it all goes in one batch.
Micah Zoltu
@MicahZoltu
Probably should wait.
Their scripts may depend on them receiving the funds through a particular channel.
Oleksii Matiiasevych
@lastperson
if there will be any problems with it, I'm ok with returning it directly by doing verification manually.
Micah Zoltu
@MicahZoltu
That sounds painful.
Oleksii Matiiasevych
@lastperson
I only got my hands on 10-15 contracts, so shouldn't be a big problem.
Priyabrata Dash
@bobquest33
hmm what kind of script you developed ....
the whole issue has created a big impact
Oleksii Matiiasevych
@lastperson
if someone tokens are not recovered yet from the multisig, message me in pm, I can recover it pretty fast. TWHG script sometimes fail to recover it.
Ricardo Guilherme Schmidt
@3esmit
@gavofyork Sorry for the bug. I was the one that verified WalletLibrary in ether.scan because I was implementing it to Commiteth to reduce gas cost of deploy (as Status were paying for the deploys).
In my opinion, that is contract very important, due this should be keep updated with latest solidity practices to have better reading (and add testcases). I guess your multisig is cool but we need a code cleanup and upgrade multisig, keeping backward compatibilties and enhancing with "walletlibrary", "token support" (kill sends all eth+tokens out, useful for commiteth v1) If you need help, I can cleanup Multisig as synergic contribution from Status to Parity.
We are also considering using The Vault Contract, from Giveth, which have several security features, where a group of entities could become a Trust to delay payments in case of wallet compromising. See more about Vault here: https://medium.com/giveth/the-vault-contract-open-sourced-by-giveth-fe2261f7b91b
BTW Parity is my favorite ethereum client :)
Let me know your plans to multisig, so maybe I can help.
Jackson Palmer
@ummjackson
i think there's a lot of good intent here, but what about cases where the wallet owners didn't want their funds moved out of a wallet without their permission?
in some cases i imagine the users were planning to move the funds themselves, but would now find that white hats have done it on their behalf
without any clear instructions for actually recovering the funds back from the WH group
Calvin
@edgyezy
@lastperson Thanks Oleskii
Dave Appleton
@DaveAppleton
@ummjackson the WH group can, from the original wallet deployment (or later transactions) discover who the correct wallet holders are and therefore deploy a new (safe) wallet with the original owners.
Once they have done that, they can put up a public advisory to people to reclaim their funds. @lastperson could do the same.
Ricardo Guilherme Schmidt
@3esmit
@ummjackson WHG will recreate the same wallet config you have with an updated wallet that is not vulnerable. You will have back access to your funds shortly.
If for some urgency you need the funds for like, medical condition and need to sell for example, sign a message from all formal owners from withdrawn wallet by WHG requesting the amount and to what wallet. Send me those signatures and I will forward them to WHG. I can't promise you anything, but if the signatures matches you have a chance.