Deconstructing the Parity Multi-Signature Wallet Hack

May 21, 2021 - Zero Friction performed an investigation of the Parity Multi-Signature Wallet Hack where the hackers siphoned over 150,000 ETH with a current market value exceeding $405M, and as of May 20, 2021, the following were observed:

  1. The timestamps of one of the initial three inbound transfers from Wallet #1, #2 and #3, and the outbound transfers to the eight addresses indicates that the hackers may be of Eastern region.

  2. Most of the stolen funds have been liquidated across several exchange services including:

  3. Changelly

  4. ShapeShift

  5. Unknown Centralized Service (likely to be the now defunct exchange walletchanger.com)

  6. Approximately 32% of the stolen funds or $107.2M remain on-chain across five addresses controlled by the hackers, and has not been liquidated as of today.

  7. Recovery may be possible by monitor the existing addresses holding remaining funds for any movements into a KYC-compliant exchange.

  8. The hackers are still active and may be experimenting with different approaches to launder the remaining funds through decentralized finance (DeFi) marketplaces such as Uniswap.

On Wednesday July 19th, 2017, the multi-signature wallet ("multi-sig") code used as part of Parity Wallet software was exploited by parties unknown. Using the exploit described here, three addresses holding large balances of ETH, approximate 150,000 ETH, or $30M in 2017 or $405M in current value, were compromised and their balances moved into addresses controlled by the hackers.


The postmortem analysis of the event revealed that the root cause for the hack was a bug in a pair of extremely sensitive functions designed to allow the set-up of "multi-sig" wallets in the Parity Wallet software. Per Parity,

“The functions should have been protected in order that they be usable only in one specific circumstance, as the contract was being created. However, they were entirely unguarded, which allowed the attacker to reset the ownership and usage parameters of existing wallets arbitrarily.”

Thanks to a group of White Hat Hacker group, other impact addresses with same vulnerability were also hacked using the same technique, and the funds were ultimately returned to the rightful owners.


Key information utilized to conduct the analysis were:


Wallet #1: 0xbec591de75b8699a3ba52f073428822d0bfc0d7e

Wallet #2: 0x50126e8fcb9be29f83c6bbd913cc85b40eaf86fc

Wallet #3: 0x91efffb9c6cd3a66474688d0a48aa6ecfe515aa5

Hackers Address: 0xb3764761e297d6f121e79c32a65829cd1ddb4d32


The scope of this analysis is limited to the funds that were taken by the original hackers. The analysis was performed by Tuan Phan from Zero Friction LLC using the Breadcrumbs Investigation Tool.


Data set for the analysis can be obtained from https://www.breadcrumbs.app/reports/592 (subscription is required) .


The completed report can be downloaded from the Investigation Report link below.

R202105-001R0
.pdf
Download PDF • 581KB

Zero Friction provides the expertise to assist organizations and individuals with the following blockchain forensic services:

  • Conduct comprehensive wallet and related transaction analysis. Establish relationships across transactions and wallets. Where possible, deanonymize the senders and recipients. Assist with reporting and walkthrough of analysis for law enforcement and tax authority.

  • Identify and monitor holding addresses through the blockchain in order to catch and recover stolen funds.

  • Prove to tax authorities and law enforcement that you are a victim of a hack and your funds are no longer in your control.

  • Defense individuals against accidental blacklisting of addresses, legal or exchange freeze of funds, or wrongful accusation of theft.

  • Locate exchanges where funds may have been sent but forgotten.

  • Recover lost wallet seeds and private keys.