Hackers Stole $37 Million In Ether Heist, Raising Questions About Cryptocurrency Security

Unknown hackers stole $37 million worth of ether from Tuesday to Wednesday, Gizmodo reported. A group of white hat ethical hackers quickly countered to protect the remaining funds

Here’s a very short and oversimplified version of what happened, based on what experts told International Business Times: Ethereum’s contract writing language makes some functions public by default if they're not specifically marked as private. So a bug in a smart contract with multiple signatures could be leveraged to shift control of the wallet and approve transactions. Basically, a specific smart contract with several keys was tricked into requiring no key at all thanks to a tiny piece of public code.

Read: Blockchain Security Breach: Hackers Stole $7 Million From CoinDash Initial Coin Offering

“Online services that 'store' the funds in the cloud are most exposed to attacks and abuse,” Hamid Karimi, Vice President of Business Development at Beyond Security, told IBT.

Cryptocurrency experts pointed out the vulnerability came from a bug in one type of digital wallet, not Ethereum or even all of Parity’s smart contracts. Parity Technology was quick to publish a statement that the bug was fixed and from now on their multisig wallets won’t have this security flaw.

However, just like we saw earlier this week with the CoinDash theft, the incident proves that third party platforms are not as secure as the blockchain network itself. Karimi said company budgets often prioritize scaling issues and outlier threats rather than routine maintenance. Plus, the technology is so new that both hackers and service providers are essentially learning as they go. “I don’t see any way out of the current crisis,” Karimi said. “The attackers are just as sophisticated, if not more, than the security teams.”

Read: Rumors About Anonymous Ethereum Millionaires Raise Questions About Blockchain Privacy

Legislators are ramping up efforts to regulate cryptocurrency businesses, with proposals like the Uniform Regulation of Virtual Currency Businesses Act that passed on Wednesday. The legislation sparked fierce debate in the blockchain community, including both criticism from the Bitcoin Foundation and adamant support from the Coin Center, a blockchain and public policy think tank. Unfortunately, the recent ether heist was a technical issue with a multisig wallet, which falls outside the clearly defined regulatory categories addressed in the new legislation.

In the meantime, Karimi recommends cryptocurrency users pay special attention to the security habits of the third party platforms they use, including digital wallets and currency exchanges. He recommends using sites that carry a security certificate when possible, and asking service providers whether they have already hardened their sites and applications with tools like blackbox and whitebox testing.

“It goes without saying that users must both backup and encrypt their wallet contents,” Karimi said. “Lastly you can use multiple services to spread the funds across different wallet platforms.”