DAO-Over? $31 Million Stolen From ICOs, 19 Tokens Vulnerable
153,000 ETH (and counting) has been funneled into one address from several ICOs today, harkening back to the days of Slock.it and the DAO. The $31 million USD theft raises questions for both the security and sustainability of the ICO ecosystem, and shoulders the Ethereum Foundation with another impossible position.
Parity Multisig Wallets Are the Weak Link
The vulnerability that the as yet unidentified hacker seems to be exploiting lies with Parity multisig wallets, which allows outside attackers to drain them. The three ICOs affected in the initial attack were Aeternity Blockchain, Edgeless Casino, and Swarm City.
However, “white hat” hackers were able to drain a further 16 ICOs, bringing the total vulnerable value to over $105 million at the time of writing.
Hack Has Cratered the ICO Landscape
The list of affected tokens isn’t just on the margins of ERC20 launches. Projects as large as Golem, Gnosis, and Storj were vulnerable. One of the groups attempting to mitigate the losses described it as:
“trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible”
While the methods used and projects affected differ from the DAO implosion, the parallels are easy to draw. Bad security practices, immature code, and blind optimism for the ecosystem made easy pickings for bad actors as soon as the pot grew big enough. The only real question remaining is if history will repeat itself in the form of a hard fork as well.
So Where Do We Go From Here?
Twitter has been on fire since the initial ICO drain. Crypto and blockchain experts were prophesying doomsday for Ethereum and the ICO space alike — even as Vitalik Buterin, principal founder of Ethereum, tried to put those fires out.
Some asked if Ethereum would fork its blockchain to “undo” the hack, like it did after the DAO incident last year:
1. Ecosystem less mature then
2. More at stake then as % of all ETH
3 [most impt]. Today's attacker can just move funds, so HF is impossible
— Vitalik "Not giving away ETH" Buterin (@VitalikButerin) July 19, 2017
Whether or not a hard fork or similar central action is implemented to bail out those affected, a $105 million security oversight in the wake of painfully similar problems with the first wave of dApps, indicates some systemic problems with Ethereum.
In a community whose first response to criticism of its technologies is shouting down and labeling critics “Bitcoin maximalist” or “concern troll,” flaws tend to be exploited rather than fixed in a timely and low impact manner.
Did you, or anyone you know, lose money in this hack? Let us know.
Images via Tyson O’Ham