Hello and welcome to the IEXEC bi-weekly development letter. Today, we’ll report on the Parity multisig hack and give some perspective on research & development.

The day we lost 120K ETH…

On Jul-19–2017 06:35:06 PM, I received an automatic notification email from etherscan.io that was signaling some activity on the Ethereum multisig wallet, where the IEXEC funds are stored. I rapidly checked the balance and discovered that it was zero: all the funds (>120,000 ETH) were transferred to an unknown address.

Some background: to secure the funds collected during the crowdsale, we kept the ETH in a cold multisig wallet whose keys are securely stored in bank vaults in China, France, and another place in Europe. But the code of the multisig wallet provided by the Parity client had a bug that was easy to exploit by a malicious hacker. Simply explained, the functions that setup the wallet were left unprotected, allowing anyone to reset the ownership of the wallet (which they did) and drain the funds from the wallet.

About one hour after the hack, we started to hear rumors saying that the exploit may have been implemented by a group of white hat hackers. This information was first confirmed by etherscan.io when they displayed a statement on the web page of the address where the funds were moved.

… and got them back!

Something incredible happened! A team of super-heroes who called themselves the White Hat Group had rescued all the funds from all the affected Parity multisig wallets! Not only IEXEC, but also BAT, ICONOMI, cofound.it and many more. The total of the funds recovered was exceeding 200 millions USD. WHG issued a first statement on reddit (A Modified Version of a Common Multisig Had A Vulnerability — The WHG Took Action & Will Return the Funds) and later regularly communicated using the /r/ethereum thread. You can read the full story from their side here.

At IEXEC, we want to congratulate the WHG and express our gratitude for their outstanding action that saved many projects essential to the community. Everyone has to understand that it also takes a lot of courage to take responsibility for this rescue! Today, all the funds have been transferred back to IEXEC and are now safely stored in a newly deployed wallet.

Some experience and lessons learned