Yesterday, news surfaced about a vulnerability in multisig Parity wallets found and exploited by malicious hackers:

Severity: Critical Product affected: Parity Wallet Affected implementations: Parity 1.5 or later Summary: A vulnerability in a version of the multi-sig contract wallet.sol has been reported. Mitigation steps: Any user with funds in a multi-sig wallet created in Parity with the affected implementations should immediately move their funds to a secure address. Source: The official Parity blog

It has been reported that more than 153,000 ETH (appr. $32 million) were stolen from three Edgeless Casino, Swarm City and Aeternity.

A group of white-hat hackers who call themselves the White Hat Group (WHG) detected the vulnerability and began exploiting it in order to protect other wallets that were exposed to it. The group managed to save over 377,00 ETH that is expected to be returned to the respective projects.

In the meantime, Parity patched the vulnerability that allowed for the exploit and did a postmortem on the attack.

How does this affect AdEx

One of projects whose funding was preserved by the WHG was AdEx: we kept a part of the Ether we got from our crowdsale in precisely such a wallet. The rescued funds have been transferred to the following secure address:

0x1dba1131000664b884a1ba238464159892252d3a

While there were speculations on the legitimacy of the group at first, Parity reassured the affected multisig wallet owners by tweeting a link to a reddit thread, explaining that the WHG will deploy new multisig smart contracts for each of the wallets, and will then return the rescued funds to their original owners.

How do we diversify and protect our funds

At the time of the attack, we had already secured a portion of the funding we received by converting it into fiat currencies. More importantly, we had set a hedging plan for the funds we secured through our token sale:

20% of it is to be converted to Bitcoin (BTC)

2–5% is to be converted into Litecoin (LTC)

20% is to be converted into fiat currency

The rest of the funding will be kept in Ether (ETH)

As soon as our rescued Ether is returned to us, we will continue implementing this strategy for diversifying our funding.

What is next

The WHG have released an update on reddit, stating that they have completed the first round of calculations required for the funds redistribution.

They have also declared that they are working closely with Gavin Wood and the Parity team to determine the best multisig version to deploy, and have selected such.

In this effort, the WHG has asked the community to review this code for any errors. We at the AdEx team have volunteered to help out.

The aftermath

The malicious attack happened due to a trivial mistake in the smart contract written by Gavin Wood — one of the creators of Ethereum and inventor of the Solidity smart-contract programming language.

Yet, the consequences for the three hacked wallets are not trivial at all, and could have been much worse had it not been for the WHG.

The lesson we can all learn from this is that we should and must audit everything we deploy, no matter the authority and expertise of the programmers who wrote the code.

Thoughts of gratitude and support

We extend our gratitude to the WHG and applaud the actions they took to protect unsuspecting wallet holders from harm. We believe such actions are a true embodiment of what the Ethereum community stands for.

We intend to make a donation to the WHG in the upcoming weeks. We also fully support the initiative to start a recovery fund for the hacked projects and we plan to contribute as well. We encourage everyone else saved by the WHG to do the same.

Unfortunately, fact remains that Aeternity, Swarm City and Edgeless Casino lost millions in funding. Aeternity released an official statement explaining that they had diversified their funds; so did Edgless Casino. It appears that Swarm City lost their entire capital but they have also assured us that the work on the project continues.

Our thoughts go to the three affected projects. We will do everything in our power to support them in this challenging moment.