Back to Vulnerability database

Parity MultiSig Wallet

ID Submit date Publish date Author Score
1 10.26.2018 10.26.2018 10.0

Decription

he initWallet() function is called in the wallets constructor and sets the owners for the multi-sig wallet as can be seen in the initMultiowned() function. Because these functions were accidentally left public, an attacker was able to call these functions on deployed contracts, resetting the ownership to the attackers address. Being the owner, the attacker then drained the wallets of all their ether, to the tune of $31M. Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:H/AI:L

Component

Smart contract

Platform

Ethereum

Subclass

Default Visibilities

Original source

https://github.com/paritytech/parity-ethereum/blob/4d08e7b0aec46443bf26547b17d10cb302672835/js/src/contracts/snippets/enhanced-wallet.sol

Comments