Back to Vulnerability database

Parity MultiSig Wallet

ID Submit date Publish date Author Score
1 10.26.2018 10.26.2018 10.0

Description

he initWallet() function is called in the wallets constructor and sets the owners for the multi-sig wallet as can be seen in the initMultiowned() function. Because these functions were accidentally left public, an attacker was able to call these functions on deployed contracts, resetting the ownership to the attackers address. Being the owner, the attacker then drained the wallets of all their ether, to the tune of $31M. Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:H/AI:L

Original source

https://github.com/paritytech/parity-ethereum/blob/4d08e7b0aec46443bf26547b17d10cb302672835/js/src/contracts/snippets/enhanced-wallet.sol

Comments