User Patrick reported on the TheDAO forum that 7,218 ethers was hacked from his account, shortly after he used the Ethereum Wallet to send a small test transaction to purchase some TheDAO tokens.
Using the blockchain explorer view of Patrick’s account, the rogue transaction occurred 17 seconds after Patrick sent his small test transaction. This was probably due to his geth (The Ethereum node software) account being unlocked.
Looking at the source code for the Ethereum Wallet that handles the password, I found at https://github.com/ethereum/mist/blob/master/interface/client/templates/popupWindows/sendTransactionConfirmation.js#L201 the source code:
|
1 |
web3.personal.unlockAccount(Session.get('data').from, pw || '', 2, function(e, res){ |
And the 2 seconds is consistent with the 17 seconds interval between the test transaction and the rogue transaction. 2 + 15 second average block time = 17 seconds.
I suggested that this 2 second unlocking would be a possible attack vector, and it turns out that a hacker has been posting the rogue transaction on the open RPC communications port on Patrick’s Ethereum node. When Patrick unlocked his account for 2 seconds, the hacker’s transaction went through. Patrick left his RPC ports open on the Internet as he was running a “solo mining pool” with some of his miners connecting to his internal network via the Internet. He knew not to unlock his accounts in geth, but did not realise (and this was unexpected) that using the Ethereum Wallet would allow this hack to occur.
I’ve reproduced this problem and sent a report to bounty@ethdev.com . Patrick later reproduced the problem and this is documented the steps on his original post.
The Ethereum Wallet should unlock the account ONLY for it’s session connection to geth, and this connection should be encrypted as the password would otherwise pass through in plaintext via the IPC connection, but the currently implementation has Ethereum Wallet unlocking the account for any connection to geth.
Here’s the post where Patrick originally reported the hack at TheDAO forum: [Urgent]Buying DAO using Mist has hacked.
And my summary with details on Ethereum.StackExchange.com: How to reduce the chances of your Ethereum wallet getting hacked?
And a Reddit Ethereum post: Mist wallet has 2 sec vulnerability for rpc transaction attack
And here’s the problem report on github: DAOhub user claims his wallet to be hacked #611