[Updates] Satoshi•Pie Ethereum multisig has been hacked
In this the post, we will keep you updated on the incident.
Contract address : 0xD0f706bF4738732145344Dc407d36b88859C3349
Incident: Breach in standard Parity multisig contract
23:02 PM local time 19 July 2017
Has been withdrawn to unknown destination all ethers and all tokens except AIR and ANT. Working on withdrawing MYS.
23:10 PM local time
According to Etherscan this hack was likely rescued by White hats
23:38 PM local time
Current estimated impact: $7 641 533 as of last clearance round
00:06 AM local time 20 July 2017
At the moment investment process has been stopped because Ethereum blockchain software is under attack. SPIES tokens are safe (issued by BitShares)
00:12 AM local time
Currently,, address MultisigExploit-WhiteHat sending transactions to (probably) new multisig contracts
00:52 AM local time
Estimation of vulnerable code based on contract version where White hats are sending values.
8 lines updated
01:00 AM local time
Parity Blog
Published new version of contract in Parity Github PR.
UPDATE (20/07/17, 00:26 CEST): Future multi-sig wallets created by versions of Parity are secure. Fix in the code is https://github.com/paritytech/parity/pull/6103 and the newly registered code is https://etherscan.io/tx/0x5f0846ccef8946d47f85715b7eea8fb69d3a9b9ef2d2b8abcf83983fb8d94f5f.
11:52 AM local time
We are waiting for the the annnouncement by White Hats Group. 2 scenarios:
- If they send funds back losses will be 0.8% of Satoshi•Pie (MYST token)
- If not losses will be 39.2% of Satoshi•Pie (all ETH and tokens except ANT and AIR)
According to our intuition, the 1 scenario is likely to happen but we cannot predict the time. We are starting to process yesterday deposits and withdrawals as they should happen before incident timestamp Jul-19-2017 06:34:46 PM +UTC.
02:44 PM local time
Damage valuation as of current valuation round:
04:03 PM local time
Official statement by (Satoshi•Fund) and Fund managers
(to be published in all official channels)
Working on vulnerability in Etheruem multisig contract
Yesterday in Jul-19-2017 06:34:46 PM first transaction hit our multisig Satoshi•Pie contract. The majority of funds was siphoned in 2 minutes (all ETH) and all ERC20 tokens except ANT, AIR, and MYST) in 1 hour. The breach led to not identified accounts. We reacted in less than 2 hours and successfully use exploit to drain remaining tokens ANT and AIR to address under our control. MYST attempts were unsuccessful. The history can be audited using Etherscan. Incident Log can be found in English and Russian
In parallel become known that withdrawn has been done by White Hats Group. Now we are waiting for refund according to this statement of WHG on Reddit. After fast investigation become clear that damage is not existential and we are able to continue operations. 2 hours ago we processed yesterday deposits and withdrawals that anyway should happen before incident timestamp.
Our strategy is the following:
- We are going to continue to provide best in breed blockchain asset management service.
- We are changing valuation cycle from 24 hours to 1 week for Satoshi•Pie product.
- That means that since now all withdrawals and deposits will be possible once in a week. If recovery will happen earlier we will let to withdraw on a daily basis for everybody during this transmission week.
- We are implementing a hard limit on deposits and withdrawals at 10 BTC for one transaction. Fewer transactions should go through the market.
- We consider moving Ethereum holdings (if recovered) to Zeppelin smart contract framework.
- If not recovered by White Hats Group in 1 week we will provide us a path for alternative recovery strategies.
- We are going to publish bug bounty program.
Thank you that you are with us. For those who are not happy with our service please be patient. You will be able to withdraw all your funds according to our terms.
The new version of Satoshi•Pie white paper will be published with updates soon.
00:16 AM local time 22 July 2017
Starting to audit calculations based on this announcement
01:00 PM local time 22 July 2017
We confirmed to WHG that setting parameters for deployed contracts are valid.
Now we are waiting until WHG get enough evidence from a community that all calculations are correct before deploying new contracts.
00:16 PM local time 23 July 2017
The new contract deployed by WHG has been verified
05:18 PM local time 25 July 2017
All values has been returned under SatoshiPie control. The new contract.
Until full security audit will not be finished in order to reduce risks some part of holdings will be under direct control of fund managers using this accounts:
- 0x3AF5f67d0762B55EDDaEd71A5045D3f316Ee8b37
- 0x80BC9035Cf978f7A8D0Fd9FB39e131106E87B225
- 0x00073103C819211EF56D0A8ba7f71c11a84Aa55f
Версия лога на русском by @litvintech на Голосе
So the whitehat hackers saved the day for you also ?
Glad those guys exist... It's noble people like that that make the Ethereum (and most non-scammy crypto platforms) amazing!
Hope so
Guys, you do a great job. You reasoned very quickly. You accomplished everything professionally. I would like to see the separate article with a detailed explanation of what exactly happened, who it was, what you did, also the outcomes and further changes we may see.
Finally, I want to say thank you for being entirely client-oriented.
@hipster, русский Steemit совсем в упадке?
Все на Голос ушли?
Keep up with the good work guys!
0_о
Vitalik, we need fork of fork now ;)))))))))))))))))))))))))
Ethereum, Ethereum Classic, and Ethereum Classic Strikes Back The Forkening!
You guys still don't get what the issue was.
When are you going to update whitepaper and enable investment receiving?
"Until full security audit will not be finished" when will that be?
Take care!
I'm also on of the small investors. I remember when I invested there was a calculator (based on previous data) which showed approximate increase in 20 times (years). I.e. if I invested around $50 - it should be $1400 in a year
Then I only saw fall (because of Ethereum fall in price, and Bitcoin also was bit cheaper), I also noticed you significantly decrease Ethereum part of your portfolio after that.
Which changes do you plan to shape your portfolio? May be invest more in EOS?
Hey satoshi, what's the latest news? How much of the fund was actually stolen?
When are you restarting your fund?
The funds have been returned to satoshi.fund's controlled accounts. So no loss resulted after the incident