Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

anyone can kill your contract #6995

Closed
ghost opened this issue Nov 6, 2017 · 17 comments

Comments

Projects
None yet
10 participants
@ghost
Copy link

commented Nov 6, 2017

I accidentally killed it.

https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4

@jtakalai

This comment has been minimized.

Copy link

commented Nov 6, 2017

Hmmh, clearly the kill came from registered owner, and required signatures was 0, see initWallet transaction arguments https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9

@ghost

This comment has been minimized.

Copy link
Author

commented Nov 6, 2017

Will it effect the dependent multisig wallets? When i query " isowner(<any_addr>)" the multisig wallets returns TRUE.

@Office-Julia

This comment was marked as outdated.

Copy link
Contributor

commented Nov 7, 2017

Hello. May I ask why you decided that anyone can kill the contract?
You're the owner and you can kill the contract as it supposed to be, so it's expected behaviour, isn't it?

Regards,
Julia.

@ghost

This comment has been minimized.

Copy link
Author

commented Nov 7, 2017

Hello, first of all i'm not the owner of that contract. I was able to make myself the owner of that contract because its uninitialized.

These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address. I made myself the owner of "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" contract and killed it and now when i query the dependent contracts "isowner(<any_addr>)" they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

@ghost ghost closed this Nov 7, 2017

@ghost ghost reopened this Nov 7, 2017

@hlogeon

This comment has been minimized.

Copy link

commented Nov 7, 2017

Hello! We've clashed this problem! Thanks Parity for the great contract again ;)
Any ideas on how can we get our ETH and tokens back from hacked multisig?
I think that we can get ETH back just by killing contract itself but what about tokens?

@hlogeon

This comment has been minimized.

Copy link

commented Nov 7, 2017

For those Parity guys who doesn't believe that this exploit works - check out your library which were used by multiple multisigs: https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4#code

@hlogeon

This comment has been minimized.

Copy link

commented Nov 7, 2017

It looks like kill will not work on the contract itself if the library was killed. Nice job, Parity

@ghost

This comment has been minimized.

Copy link
Author

commented Nov 7, 2017

@hlogeon 1. Why kill won't work?
2. Will ether transfer by owners work?

@hlogeon

This comment has been minimized.

Copy link

commented Nov 7, 2017

@devops199
Because there is onlymanyowners modifier. Which I think refers library. I didin't check why it's not working but the result of calling kill by 3 owners with the same arguments is just nothing.

@noxonsu

This comment has been minimized.

Copy link

commented Nov 7, 2017

"pragma solidity ^0.4.9;" released on 31 Jan

@hlogeon

This comment has been minimized.

Copy link

commented Nov 7, 2017

"pragma solidity ^0.4.9;" released on 31 Jan

How does it solves problem?

@tomusdrw

This comment has been minimized.

Copy link
Contributor

commented Nov 7, 2017

Please read the details of the issue here: https://paritytech.io/blog/security-alert.html

We are analysing the situation and will release an update with further details shortly.

@5chdn

This comment has been minimized.

Copy link
Contributor

commented Nov 9, 2017

The library is removed from the registry and all current Parity Wallet versions default to the WHG multi-signature wallets.

@5chdn 5chdn closed this Nov 9, 2017

@5chdn 5chdn added this to the 1.9 milestone Nov 13, 2017

@paritytech paritytech unlocked this conversation Nov 13, 2017

@RafaelCosman

This comment has been minimized.

Copy link

commented Dec 22, 2017

@bernardpeh

This comment has been minimized.

Copy link

commented Jan 19, 2018

How come the last 2 links no longer work?

@kirushik

This comment has been minimized.

Copy link
Member

commented Jan 19, 2018

@bernardpeh Our bad, blog engine update ruined some of the links. Thanks for reporting.
I took a liberty to fix the links in the comment — it will do as a stopgap measure, but we'll definitely fix the underlying cause as well.

@wongwf82

This comment has been minimized.

Copy link

commented Jul 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.