Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Feb 27 2020 15:09
    ordian labeled #11527
  • Feb 27 2020 15:09
    ordian opened #11527
  • Feb 27 2020 15:09
    ordian labeled #11527
  • Feb 27 2020 14:57
    niklasad1 closed #11508
  • Feb 27 2020 14:57
    niklasad1 commented #11508
  • Feb 27 2020 14:56
    niklasad1 labeled #11508
  • Feb 27 2020 14:38

    ordian on ao-github-actions

    initial github actions (compare)

  • Feb 27 2020 13:07
    s3krit synchronize #11525
  • Feb 27 2020 13:07

    s3krit on mp-de-parityify

    sed magic find . -type f -exec… (compare)

  • Feb 27 2020 12:57
    ordian labeled #11514
  • Feb 27 2020 12:57
    ordian unlabeled #11514
  • Feb 27 2020 12:56

    ordian on perf

    (compare)

  • Feb 27 2020 12:56

    ordian on master

    Faster kill_garbage (#11514) *… (compare)

  • Feb 27 2020 12:56
    ordian closed #11514
  • Feb 27 2020 11:22

    ordian on na-engine-signer-dont-use-msg-only-zeroes

    (compare)

  • Feb 27 2020 11:22

    ordian on master

    [EngineSigner]: don't sign mess… (compare)

  • Feb 27 2020 11:22
    ordian closed #11524
  • Feb 27 2020 11:22
    ordian closed #11521
  • Feb 27 2020 10:58
    niklasad1 synchronize #11524
  • Feb 27 2020 10:58

    niklasad1 on na-engine-signer-dont-use-msg-only-zeroes

    forgot formatting change (compare)

Ricardo Guilherme Schmidt
@3esmit
@gavofyork Sorry for the bug. I was the one that verified WalletLibrary in ether.scan because I was implementing it to Commiteth to reduce gas cost of deploy (as Status were paying for the deploys).
In my opinion, that is contract very important, due this should be keep updated with latest solidity practices to have better reading (and add testcases). I guess your multisig is cool but we need a code cleanup and upgrade multisig, keeping backward compatibilties and enhancing with "walletlibrary", "token support" (kill sends all eth+tokens out, useful for commiteth v1) If you need help, I can cleanup Multisig as synergic contribution from Status to Parity.
We are also considering using The Vault Contract, from Giveth, which have several security features, where a group of entities could become a Trust to delay payments in case of wallet compromising. See more about Vault here: https://medium.com/giveth/the-vault-contract-open-sourced-by-giveth-fe2261f7b91b
BTW Parity is my favorite ethereum client :)
Let me know your plans to multisig, so maybe I can help.
Jackson Palmer
@ummjackson
i think there's a lot of good intent here, but what about cases where the wallet owners didn't want their funds moved out of a wallet without their permission?
in some cases i imagine the users were planning to move the funds themselves, but would now find that white hats have done it on their behalf
without any clear instructions for actually recovering the funds back from the WH group
Calvin
@edgyezy
@lastperson Thanks Oleskii
Dave Appleton
@DaveAppleton
@ummjackson the WH group can, from the original wallet deployment (or later transactions) discover who the correct wallet holders are and therefore deploy a new (safe) wallet with the original owners.
Once they have done that, they can put up a public advisory to people to reclaim their funds. @lastperson could do the same.
Ricardo Guilherme Schmidt
@3esmit
@ummjackson WHG will recreate the same wallet config you have with an updated wallet that is not vulnerable. You will have back access to your funds shortly.
If for some urgency you need the funds for like, medical condition and need to sell for example, sign a message from all formal owners from withdrawn wallet by WHG requesting the amount and to what wallet. Send me those signatures and I will forward them to WHG. I can't promise you anything, but if the signatures matches you have a chance.
Jackson Palmer
@ummjackson
makes sense, thanks @DaveAppleton
Dave Appleton
@DaveAppleton
:-)
Jackson Palmer
@ummjackson
now i'm curious about the legality of the white hat transfers
i guess if 100% is returned everyone will be happy
better make sure the WHG wallet is secure in the meantime hehe
Ricardo Guilherme Schmidt
@3esmit
I guess this falls into a Urgent Public Service, that had no time to go to court to get acceptance. It would be ridiculous to have burocracy helping hacker to stole more funds.
A. F. Dudley
@AFDudley
@ummjackson what's the legality to deploying buggy code in the first place. "Bugs as law"
Jackson Palmer
@ummjackson
yeh absolutely, it's a grey area
in a sense it's probably fine as long as nobody gets screwed over
Ricardo Guilherme Schmidt
@3esmit
@AFDudley Parity & ethereum cames with no warranty, right? This is all under development software and all code is opensource and anyone could fixed it. By the way, I feel myself responsible for this hack because I didn't spotted this ridiculous bug earlier, and I have worked with this contract, I just didn't read it in details, assuming everyone did it, but everyone assumed everyone checked it.
A. F. Dudley
@AFDudley
@3esmit If I was you, I wouldn't feel bad. I don't want to be impolite, but there is a chain of responsibilty, if none of these companies paid you to do an audit, and you didn't actually commit the bad code, I don't see how you could have a legal responsibility. Of course, this is not legal advice, I am not a lawyer.
Jackson Palmer
@ummjackson
yeah i need to read their ToS
hmm there isn't actually anything saying "use at your own risk" etc. like the MIT license does
image.png
also this
A. F. Dudley
@AFDudley
There should be a test suite in repo that checks if a function is supposed to only work once, it actually does. I don't understand why people deploy smart contracts that don't have full and clear test coverage.
Jackson Palmer
@ummjackson
oh well i'm sure Gav has lawyers
A. F. Dudley
@AFDudley
I'm guessing they don't have a test that compiles that code.
ethgod99
@ethgod99
Investment banking analyst here looking for someone to work with directly in creating an ICO. We can discuss compensation. Email: troll4d@gmail.com
Ricardo Guilherme Schmidt
@3esmit
This happens because this tweaked wallet is not in paritytech/contracts, where it should be. Reather that, is hidden in a complex code, because they did a trick to use less gas.
The code inside Parity repo is actually compiled binary, with a reference in comments for where the source is stored
source is at parity/js/src/contracts/snippets/enhanced-wallet.sol
Soepkip-
@Soepkip-
@lastperson Just send you a mail :)
Oleksii Matiiasevych
@lastperson
got it :)
Soepkip-
@Soepkip-
God man, i love that there are honest people in the world.
Juliano Rizzo
@juli
talking about security, can we do something better than MD5 here : https://github.com/paritytech/parity/releases ?
Soepkip-
@Soepkip-
Thanks so much @lastperson :)
Ricardo Guilherme Schmidt
@3esmit
@juli I already suggested this long time ago. Its MD5 because of windows compatability
Juliano Rizzo
@juli
makes no sense
Ricardo Guilherme Schmidt
@3esmit
Dave Appleton
@DaveAppleton
Need to talk to securify.ch about using their automated tool for vulnerability scanning ...
Juliano Rizzo
@juli
@3esmit both comments are wrong, if user can't check sha256 on Windows then they should not run Parity, you can always provide multiple hashes and you can publish signed hashes somewhere else if that is what Gav meant.
Ricardo Guilherme Schmidt
@3esmit
Yeah :/
Juliano Rizzo
@juli
I guess someone else writes Parity's crypto code
Ricardo Guilherme Schmidt
@3esmit
Well, I'm absolutely right that Parity didn't wanted this to happen and a blind spot that costed millions. I have criticism how difficult this information was to be acessible in parity repository, to verify it on ether.scan (which I did) I digged a lot under the code and figured out I had to replace 0xcafecafecafecafe with the walletlibrary address. And then worked. Sadly I didn't audited the changes, we need to stop assuming things are right, and start assuming are wrong untily personal verification (I've added those instructions to my brian :laughing: ).
danielwalton
@danielwalton
can I access the github hint contract on ropsten?
Engr.Muzammal Naseer
@muzammalnaseer_twitter
can someone please guide me , i am newbie and i have funds in parity.. Should i move them ? how can i check that whether they are in account or in multi sig wallet ? PLease help seniors
Micah Zoltu
@MicahZoltu
@muzammalnaseer_twitter If you aren't sure then it is very unlikely that you are using a multisig wallet, which means it is very unlikely that you are at risk of the recent bug.
Also, I believe at this point all effected multisig wallets have been liquidated by either the bad guys or the good guys, so if you still have funds then it is even more unlikely that you are using an effected wallet.
Engr.Muzammal Naseer
@muzammalnaseer_twitter
@MicahZoltu but i can see my funds available in parity Account
Micah Zoltu
@MicahZoltu
Then you are very likely fine and have nothing to worry about.