New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

anyone can kill your contract #6995

Closed
ghost opened this Issue Nov 6, 2017 · 17 comments

Comments

Projects
None yet
10 participants
@ghost

ghost commented Nov 6, 2017

I accidentally killed it.

https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4

@jtakalai

This comment has been minimized.

Show comment
Hide comment
@jtakalai

jtakalai Nov 6, 2017

Hmmh, clearly the kill came from registered owner, and required signatures was 0, see initWallet transaction arguments https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9

jtakalai commented Nov 6, 2017

Hmmh, clearly the kill came from registered owner, and required signatures was 0, see initWallet transaction arguments https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 6, 2017

Will it effect the dependent multisig wallets? When i query " isowner(<any_addr>)" the multisig wallets returns TRUE.

ghost commented Nov 6, 2017

Will it effect the dependent multisig wallets? When i query " isowner(<any_addr>)" the multisig wallets returns TRUE.

@Office-Julia

This comment was marked as outdated.

Show comment
Hide comment
@Office-Julia

Office-Julia Nov 7, 2017

Contributor

Hello. May I ask why you decided that anyone can kill the contract?
You're the owner and you can kill the contract as it supposed to be, so it's expected behaviour, isn't it?

Regards,
Julia.

Contributor

Office-Julia commented Nov 7, 2017

Hello. May I ask why you decided that anyone can kill the contract?
You're the owner and you can kill the contract as it supposed to be, so it's expected behaviour, isn't it?

Regards,
Julia.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 7, 2017

Hello, first of all i'm not the owner of that contract. I was able to make myself the owner of that contract because its uninitialized.

These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address. I made myself the owner of "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" contract and killed it and now when i query the dependent contracts "isowner(<any_addr>)" they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

ghost commented Nov 7, 2017

Hello, first of all i'm not the owner of that contract. I was able to make myself the owner of that contract because its uninitialized.

These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address. I made myself the owner of "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" contract and killed it and now when i query the dependent contracts "isowner(<any_addr>)" they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

@ghost ghost closed this Nov 7, 2017

@ghost ghost reopened this Nov 7, 2017

@hlogeon

This comment has been minimized.

Show comment
Hide comment
@hlogeon

hlogeon Nov 7, 2017

Hello! We've clashed this problem! Thanks Parity for the great contract again ;)
Any ideas on how can we get our ETH and tokens back from hacked multisig?
I think that we can get ETH back just by killing contract itself but what about tokens?

hlogeon commented Nov 7, 2017

Hello! We've clashed this problem! Thanks Parity for the great contract again ;)
Any ideas on how can we get our ETH and tokens back from hacked multisig?
I think that we can get ETH back just by killing contract itself but what about tokens?

@hlogeon

This comment has been minimized.

Show comment
Hide comment
@hlogeon

hlogeon Nov 7, 2017

For those Parity guys who doesn't believe that this exploit works - check out your library which were used by multiple multisigs: https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4#code

hlogeon commented Nov 7, 2017

For those Parity guys who doesn't believe that this exploit works - check out your library which were used by multiple multisigs: https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4#code

@hlogeon

This comment has been minimized.

Show comment
Hide comment
@hlogeon

hlogeon Nov 7, 2017

It looks like kill will not work on the contract itself if the library was killed. Nice job, Parity

hlogeon commented Nov 7, 2017

It looks like kill will not work on the contract itself if the library was killed. Nice job, Parity

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 7, 2017

@hlogeon 1. Why kill won't work?
2. Will ether transfer by owners work?

ghost commented Nov 7, 2017

@hlogeon 1. Why kill won't work?
2. Will ether transfer by owners work?

@hlogeon

This comment has been minimized.

Show comment
Hide comment
@hlogeon

hlogeon Nov 7, 2017

@devops199
Because there is onlymanyowners modifier. Which I think refers library. I didin't check why it's not working but the result of calling kill by 3 owners with the same arguments is just nothing.

hlogeon commented Nov 7, 2017

@devops199
Because there is onlymanyowners modifier. Which I think refers library. I didin't check why it's not working but the result of calling kill by 3 owners with the same arguments is just nothing.

@noxonsu

This comment has been minimized.

Show comment
Hide comment
@noxonsu

noxonsu Nov 7, 2017

"pragma solidity ^0.4.9;" released on 31 Jan

noxonsu commented Nov 7, 2017

"pragma solidity ^0.4.9;" released on 31 Jan

@hlogeon

This comment has been minimized.

Show comment
Hide comment
@hlogeon

hlogeon Nov 7, 2017

"pragma solidity ^0.4.9;" released on 31 Jan

How does it solves problem?

hlogeon commented Nov 7, 2017

"pragma solidity ^0.4.9;" released on 31 Jan

How does it solves problem?

@tomusdrw

This comment has been minimized.

Show comment
Hide comment
@tomusdrw

tomusdrw Nov 7, 2017

Contributor

Please read the details of the issue here: https://paritytech.io/blog/security-alert.html

We are analysing the situation and will release an update with further details shortly.

Contributor

tomusdrw commented Nov 7, 2017

Please read the details of the issue here: https://paritytech.io/blog/security-alert.html

We are analysing the situation and will release an update with further details shortly.

@5chdn

This comment has been minimized.

Show comment
Hide comment
@5chdn

5chdn Nov 9, 2017

Member

The library is removed from the registry and all current Parity Wallet versions default to the WHG multi-signature wallets.

Member

5chdn commented Nov 9, 2017

The library is removed from the registry and all current Parity Wallet versions default to the WHG multi-signature wallets.

@5chdn 5chdn closed this Nov 9, 2017

@5chdn 5chdn added this to the 1.9 milestone Nov 13, 2017

@paritytech paritytech unlocked this conversation Nov 13, 2017

@RafaelCosman

This comment has been minimized.

Show comment
Hide comment

RafaelCosman commented Dec 22, 2017

@bernardpeh

This comment has been minimized.

Show comment
Hide comment
@bernardpeh

bernardpeh Jan 19, 2018

How come the last 2 links no longer work?

bernardpeh commented Jan 19, 2018

How come the last 2 links no longer work?

@kirushik

This comment has been minimized.

Show comment
Hide comment
@kirushik

kirushik Jan 19, 2018

Member

@bernardpeh Our bad, blog engine update ruined some of the links. Thanks for reporting.
I took a liberty to fix the links in the comment — it will do as a stopgap measure, but we'll definitely fix the underlying cause as well.

Member

kirushik commented Jan 19, 2018

@bernardpeh Our bad, blog engine update ruined some of the links. Thanks for reporting.
I took a liberty to fix the links in the comment — it will do as a stopgap measure, but we'll definitely fix the underlying cause as well.

@wongwf82

This comment has been minimized.

Show comment
Hide comment

wongwf82 commented Jul 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment