AD
以太坊Parity多重签名钱包的一个关键性安全漏洞在11月6日触发了,这导致在7月20号之后创建的Parity多重签名钱包全部瘫痪。
正如你已经看到的,Parity在今天发布了一份安全通告,告知其用户和开发者这一“意外”触发的漏洞,根据统计,该漏洞导致价值超过1.5亿美元的以太币被冻结,其中包括属于Parity创始人,以太坊前核心开发者Gavin Woods的新项目“Polkadot”的9000万美元资金。
ContractEther0x1c0e9b714da970e6466ba8e6980c55e7636835a61,000.000x227b7656129bc07eef947d3c019a7a8f36a24e74655.000xa8871d303c501c39deb2abe118691eeeea813e30450.000xc7cd9d874f93f2409f39a95987b3e3c73831392516,475.530x3bfc20f0b9afcace800d73d2191166ff16540258306,276.270xd7dfc49e5d13f77830029134fb06f5fa6d5e8ec41,173.400xe705daf2f65228aade8c8ac4f60a586b1391228d340.400x43ab622752d766d694c005acfb78b1fc60f35b6921,704.330x71331c46fba44d85e293d63d1d5a8cdadf264451409.670x0397453bb7db560a039d474c5693578fdb6096c4600.000x39d46c1824dfc32ad4e80c28a825296a8ac52437397.000x94bd4150e41c717b7e7564484693073239715376671.690x22ef5434cc2deb6c760c7ebbc88777d1f32757f6397.000x7693f7100a671d0cbfca63bd766fd698c17d6f04779.090x376c3e5547c68bc26240d8dcc6729fff665a4448114,9390x35bd14e205251f3ee0405bc543ceac1d776e5736400.000x47c663ba238fb5c66fa7ac92c33a86a41da261de594.000xd341f357138dc3d1488e203a0138de71f4e0de631,376.330x0da3cb3046f72fcbb49edf01b04ab6efc6c0d8dc2,520.770x4d8006dc86d6015d5cb1f33c4e98ca12c39fcba2360.000x8655d6bf4abd2aa47a7a4ac19807b26b7609b61d3,000.000xa08c1134cdd73ad41889f7f914ecc4d3b30c1333325.500x41849f3bd33ced4a21c73fddd4a595e22a3c22513,237.040xa14703b1da572e3ddf4803113eb32159209199db600.000xbe17d91c518f1743aa0556425421d59de03727664,360.670x28ff414bb944b81053389f22113ad305c8ac69fa332.000xdb46b29957b3021a5ea79c49f443083aba994a33500.000x3fcb02a27dc60573a0cb9bff9528fcd77e78d7341,568.310x49eafa4c392819c009eccdc8d851b4e3c2dda7d04,524.980x10e301560860db30dc1bc519a99aa860bc71f076365.000x37c6772be3e333e8acbc38521fb5090b0abe1a3b350.000x7100c7ce94607ef68983f133cfd59cc1833a115d327.540x0881538f81a4092bf5a00462c1853a5f2a8b6fa5353.000x05cf82965cc412494c5de53bf107ec631accf03e399.000xf6e51ae30705cd7248d4d9ac602cb58cc4b61a521,400.000xd95a6aa3e20397211e487b231211e16790a21ac9150.480x7b6bce3cf38ee602030662fa24ac2ed5a32d0a02144.850x2f9f02f2ba99ff5c750f95cf27d25352f71cd6a9320.000xd31a34d621122bebe0dee360e33bbe61193d5b901,416.100x05b34bf3562c61715f70240104abc6ae8c80055c1,577.310x428c131b323161f549bf61da2a434d1a3a920b0b500.000xcf46cc20deba6b802707961ca3c6f3602566c2cf350.030xe4aa399ac8c2c636c3f084f8176c01c5c73ed90e350.000x6492780dc59598c6f8a4984c6deffd4600ba00031,7470x4ebcf8a133cce749ee07d4c764e10d1916f84f5c342.820x728dbf45456de6b51b1227d5cd5e2507167688c0350.000xef5da7752c084df1cc719c64bbe06fa98b2c554c345.500x53ea709e81eefa48a311b2a582ad8057d45d4acc350.000x0f30c808069315b3b7dfbfe149c87448b50c6d8b285.740x7e5b6dd9ba1abf42bfb41e5ae8f46fe5e01aae14285.000x66ea39aee3f4a2e39d2f28b397a4daf0bffafd8922.720xdb0e7d784d6a7ca2cbda6ce26ac3b1bd348c06f86,9250xc1bd4f07421571364617adce98a8d657f52498b7108.470xa9eebb32a1d459eb1eb5078c543427c34da4431357.890x2006df02a034359fd32e5bb7d64e07aca44b573a10.410x8f7070b6b8e8ac245cc8735c32cccc12e178a99e7.520x009f3de1e8878cda9c2e94a6ce6084d9ca86425c10.410x570f77473c329a5149fe5d5786d8759e38ed15be15.000xbd13904c10be5fb680e1f6f950bbd4a317d7098c10.590x7c922218294246fc1e8c99c737f87afd94361f4f6.660xe0b93a625693a33221cf9bd534ae790ea59a9ba75.680xdcab43b6ef9dd156c54e1c4f055aa60e317c6f9910.070x394d8b3c5de759b8258376fde9b394c8f237d8c480.580xc1bef33095fc3ff1bfa38a193a028fd6707514625.200x1b3de683a4ff93457b0a27986361a5090e3fbb506.960x21675f1b593ac15c5585bca5e7778e4f391620bd2.910836440x37764fe50340f0158b9facefb3dbaf5222e34a3d5.500x4073404129aea005a661f09c38bc64908b27a7465.000x2f56c5f0b2548ce52fac5512b76eadbb2c511a7f4.350x19986fcfbc5ef9b9e377fa8429c5a8d215cbe81420000x4de05b00797b11ae43e08ad0068fbd0689a0e041768.80x5f3ce3907e7e4c5b5b8d04dd3211ca8b81a64733741.42724750x6e314220258a6fa41c2d50cd98f123ffff247d9e5010x043dae09e7f51d02b8745bcf82c4c5ee86e4bc96360.000xc32050abac7dbfef4fc8dc7b96d9617394cb4e1b340.230xe9d7d845388311e478be278bc2b48afed5bdadde2.000xdd0c464c5ef163badeb6d3f4d71ed956771d599f1.020xdd21d75db9ed2fe97775ffa46e8fa1c8072cd15d10xdc7f356bfa601aeaa96d79efad3e0eb50516957210xc94be6acc592957291d787e802b0c932a76d671a0.9999970940x4585b138dc13925c65613a511fc1fc642d16d9760.99975833020x5483c2e726061fa518379820d863076aff39f7ea0.80x5ccba1eab776fc4d7cc89084c1825f5ffd87ffda0.7939528250xc3501dad78f27c7147b65701c5da2d1d2a71285e0.4950x08ca68ecc2cc98f8ba6345531089899fc4c42f570.46870x4405cdf409d270fa55f9a4020c3b5772bf1a1a100.29907568940x62c00230b47cc17d6c9a871352568b3f4ffc5f1a0.20x1947c2a678b7cbac00a75d6490ca7d6f8a4b0eda0.20xce8e7257b640cf9eef096b188e1345e96c4a80d90.1847284380x42a3d814e6e3c25d20120b972e4d174ef76d93d20.1410x3646da9d8e6cb67b0cf86af2c30c8b615d9bb9ce0.1337370510xefa1994328e59f8e24d85458810d67a27289679a0.1150x829778a21eabc3e4c6835689eea6eeb0857d1e030.10x09d9b2f572f4c7c99631349f2dbad34273aea9970.10xa9139277a57a86dbe1ab916e111b982f12ed7fdf0.10x9d8d4ff2b1dfb9a14e50e7d84952b6f14fcb83770.083055969350xa386560ac173a436c0c592272bb419c94cca8bc90.080x830389b854770e9102eb957379c6b70da4283d600.050xef0613ab211cfb5eeb5a160b65303d6e927f3f850.050x5311fce951684e46cefd804704a06c5133030dff0.050xe01c0bdc8f2a8a6220a4bed665ceeb1d2c716bcb0.050xf6c68965cdc903164284b482ef5dfdb640d9e0de0.050xe64bae6b0e8b89a1a3f8152dc3fb5e39101666890.050xe3a482efacc86b55cd60fa1ae07b658548e00c2e0.0496932420x0285d5528f574f1361009eef75a4f619427677990.0444330420xd32db75141f77a1174ba3130f69f0aa002cb1ccc0.040xa57b2cf597996a92c9967bd0f3e9d22f565b3a620.0390x42ac09396496d2484114625078ed29205ba012440.030xabfe9ee7512e2291b95666f5f0e9de1b43659e560.030x2f8d38c727ebac1daf6b42e15cdbe73cad0e22110.025482758620x8b3cb840c24ecd4f045f5cfb8ea14beec17b51e00.0240xc01283f05079d6a143c12079cecac8e3f966694c0.0230xfd2b3eb22bac1634f8b554a6d67fd11849dc3a0f0.021873780xdf665ab68393bd31cf244171ba57abdbe871f81d0.020x32a528762b6326ca0e2b314530d412f823a23d510.020x25f602eb3497cfc37d70436513fca6df45a841810.0193458310x8cfab485f4de196cc65073dc8d1196c7b64499400.0190x199a4567ddbfa4426903e36b4752213ba1f34d640.017608730xd5ca44255601a3fa439dfeb715d4f3515548368f0.0150x1afb16d06e76e39732728e186e519d99a156ef4e0.0130x69bb3d4d29249814845c8634a03ba3aa4165c9330.0120xb4210e53e5b13cbfa29f72e4764f4c4b9a6ae72a0.010089999930x4623913527a5511822e11490a91dade706f9d8540.0100031820x28877c4cc1a482378daf961937660e8d4ffeefa10.010x94535a9cee64a0258af01c8cc41cfaf7bfb58f760.010x18b4092dee9ed759b0742608be8ad904957c3d080.010xb696bee07c81b57ef2832353a7e8b26f4c80cc650.010xcf27f7edddb7af3744a545c0f8fc5b27bc652fcc0.010xd7b349624208a406627010b7d440dd2f25ddd63a0.010x8266bcb06a66efe3150a6f3ddd4f43caeb5662450.010x6924d3ad691e7f641ffe1c95aa6297e4c10e5e860.010x769512eed08245828c705a186a09709d0afb52e10.010x87f5b0d8f79182830248382a0b6aa2c86757f51c0.010x8c53795efc5dca289a703ecb40f95934b1a923620.0092460446990xac3c64644d3ca6f960308ed7cd79bfa794bf12b10.0070xd51f04d699a929c86695d0ef00973189dc9284290.0060xb69e024300f63c452ba0572405d53ca5e991dd770.0050xc1d787c7a1a98b187c31362b588447e5a945fcbb0.0050xd78331e9dd5b7dc506da403d37a43b1335fbdd110.0050xcfe56f64824c75dcfc2d9860cca088f287d4768b0.0037204397490x7614ba4b95cc4f456cae349b94b8a6992d4818ea0.0030xad0d6a9c97d6d401a7e4444859f41f0606d07b620.00260x97695b2bb33736b7517303ac4be0863a4f0d7fe90.0020x493f7decbf1e3da9765c4db06abb8c4daf4a78930.0010x142c10c90aa0a4dd588edf1ac54c3e959646cc2d0.0010x5ab18d3b796bae844e243d0bc906b0209106c10a0.00050x20db5d16771a4ebbb83a00cc27b784407a3bae970.00050x8d358fdc7e1ed7e69f7fb6d5daccc77282a2d7370.00040x39c92cae22c0648cd9382717b0b5ac944c81af140.000228390x0d6c24d85680a89152012f9dc81e406183489c1f0.000190x5cef6ef48e2ee1c1c9aecf36a669d8a4eb6609da0.000039389Ether Total513,701.99(损失统计)
正如Dan Guido指出的那样,这个新的漏洞合约从7月20号就开始部署,至今已持续超过了100天的时间,也就是在原来的多重钱包漏洞被修复后的一天。
漏洞用户名为“devops199”的新手开发者自称他意外触发了这个漏洞,并通过GitHub上报了这个漏洞。
新部署的合约 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4,包含的一个漏洞,其owner是未初始化的。这个合约作为一个library,存在可能 “devops199”可将其转变成一个常规的多重签名钱包,因为对于以太坊来说,账户、library和合约,三者之间并没有什么实质性的区别。
事件的发生,缘于两笔交易,第一笔接管了这个 library,而第二笔则杀死了这个library,而所有在7月20号之后创建的多重签名钱包,就是使用的这个 library。
交易# 1在上述交易中,这名用户使用initWallet() 函数,初始化了Parity library的owner(0xae7168deb525862f4fee37d987a971b385b96952)。将owner直接分配给library后,使得这名用户可以把这个library转换为一个常规的多重签名钱包。
// throw unless the contract is not yet initialized.
modifier only_uninitialized { if (m_numOwners 0) throw; _; }
// constructor - just pass on the owner array to the multiowned and
// the limit to daylimit
function initWallet(address[] _owners, uint _required, uint _daylimit) only_uninitialized {
initDaylimit(_daylimit);
initMultiowned(_owners, _required);
}交易#2在初始化成为这个library的 owner之后(现在已经成为了常规的多重钱包钱包),这名用户可以调用kill()指令,导致所有依赖于第三方 party库的钱包瘫痪。这影响到了7月20号之后创建的所有party钱包,因为用户们再也不能使用这个library了。
// kills the contract sending everything to `_to`.
function kill(address _to) onlymanyowners(sha3(msg.data)) external {
suicide(_to);
}结论尽管这个漏洞智能合约,在几个月前就被开源并部署了,这一漏洞依然成功地逃脱了Parity团队的审查。
由于智能合约的设计,它们无法被容易地修复,这导致一旦合约发生一点错误,依赖于这一第三方库的所有钱包就会遭殃。
事实上,库的开源化也是值得商榷的,如果我们的日常操作系统也是这样做的话,这会是可怕的。
我们已经看到很多人对区块链智能合约的积极性,一般用户认为,这些智能合约是安全的。但就像任何其他软件一样,智能合约也很脆弱。
最近所有围绕智能合约的安全问题,对于将资金存储在基于区块链的软件层而言,带来了越来越多的挑战。
声明:此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述。本网站所提供的信息,只供参考之用。
