{"id":18484409,"url":"https://github.com/giveth/whgbalanceverification","last_synced_at":"2025-04-08T18:33:24.757Z","repository":{"id":23020251,"uuid":"97936659","full_name":"Giveth/WHGBalanceVerification","owner":"Giveth","description":"Verification of the balances rescued from the multisig compromise","archived":true,"fork":false,"pushed_at":"2023-02-15T16:14:38.000Z","size":7183,"stargazers_count":10,"open_issues_count":4,"forks_count":15,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-02-22T22:23:53.925Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Giveth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-07-21T10:34:51.000Z","updated_at":"2024-12-31T10:24:28.000Z","dependencies_parsed_at":"2024-11-06T12:46:42.081Z","dependency_job_id":"81ed799d-7fa0-448a-b3ae-a14955c3e252","html_url":"https://github.com/Giveth/WHGBalanceVerification","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Giveth%2FWHGBalanceVerification","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Giveth%2FWHGBalanceVerification/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Giveth%2FWHGBalanceVerification/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Giveth%2FWHGBalanceVerification/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Giveth","download_url":"https://codeload.github.com/Giveth/WHGBalanceVerification/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247902860,"owners_count":21015535,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T12:39:43.605Z","updated_at":"2025-04-08T18:33:19.748Z","avatar_url":"https://github.com/Giveth.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WHGBalanceVerification\n\nWhite Hat Group Deployment Strategy and Data Verification Document\n\n\n\n# Strategy  \n\nOn the 19th of July the White Hat Group rescued various multisig contracts deployed with vulnerable bytecode. We plan to deploy new multisig contracts with this vulnerability removed. These new multisig contracts will have new addresses, but otherwise maintain the expected constructor parameters (`[_owners]`, `_required`, `_dayLimit`) and the appropriate ether and token balances. \n\nWe aim to do this as safely as possible and as quickly as possible. Therefore, we are submitting the 3 csv files (`multisig_rescue_wallets_filtered.csv`, `multisig_rescue_ether.csv`, and `multisig_rescue_tokens.csv`) that contain the data needed to achieve this task for community review. These files will be used directly for the deployment of the new multisig contracts and the transactions that will fill them.\n\nThis deployment will be simulated on the Test Net tomorrow morning (July 22nd).\n\nWhen we are satisfied with the security \u0026 accuracy of `multisig_rescue_wallets_filtered.csv`and our deployment scripts, and the chosen multisig wallet implementation has been finalized by Parity, we will deploy the replacement multisig wallets to the Main Net and generate the `newWallets.csv` file linking the old vulnerable wallet addresses to the new replacement wallet addresses for community review before sending all of the tokens and ether to the newly generated wallets.\n\n\n\n#The Contents of ./jbaylina\n\nPlease follow the formatting outlined below for your own audits.\n\n\n\n## `multisig_rescue_oldwallets_jordi.csv` \n\nThis file describes each wallet that was attempted to be rescued by `0x1dba1131000664b884a1ba238464159892252d3a`specifically listing:\n\n`oldWallet`, `[owners]`, `required`, `day_limit`\n\nSorted by `oldWallet`; `[owners]` should be a string but formatted as a javascript array.\n\n\n\n## `walletMapping.csv`  (to be generated after deployment to Main Net)\n\nUpon verifying `multisig_rescue_oldwallets_jordi.csv`, and confirming the code for the new multisig contracts with Parity, we will deploy the new wallets and create `newWallets.csv` with \n\n`oldWallet`, `newWallet` Sorted by ‘oldWallet’\n\nThese new wallets have the exact same `oldWallet`, `[owners]`, `required`, `day_limit`\n\nThis will also need to be verified by the community. \n\n\nTwo vulnerable multisigs had vulnerable multisigs listed as an `owner`. \n\nFor ‘0x6dbb825564e85925b0414fdbd41f764ec475c59b’ we manually excluded it from the automatic deployment and replaced the vulnerable multisig’s address with its corresponding replacement multisig.\n\nThe other exception, ‘0xccfa829f12bd1b7618702ace114a0e464f311f6e’, was a very curious case indeed. This vulnerable multisig, has `_required == 1` and has two “owners” one being ‘0x00b159a054b4b6871ecb6c3a5ca080837953e5a4’ and the other being the multisig itself… \n\n\n\n## `multisig_rescue_ether_jordi.csv`\n\nThis file lists the tokens that are assumed to have been rescued from each wallet, specifically listing: \n\n`wallet`, `amount`, `cumulativeAmount`\n\nSorted by `wallet` with `amount == 0` omitted; `amount` and `cumulativeAmount` are listed in wei.\n\n\n\n## `multisig_rescue_tokens_jordi.csv`  \n\nThis file lists the tokens that are assumed to have been rescued from each wallet, specifically listing: \n\n`tokenAddress, tokenSymbol, wallet, amount, cumulativeAmount`\n\nSorted by `tokenAddress` (all characters should be lowercase) and then by `wallet` with `amount == 0` omitted; `amount` and `cumulativeAmount` are listed in the lowest unit of the token.\n\n\n# Helping\n\nWe are excited to compare our results against YOURS.\n\nPlease create a new folder for your implementation. \n\nThe operation is assumed to have started at block 4041168 and ended at 4046151 (Please verify).\n\nWe have already recived a community contribution from Bokkypoobah which lives in the ./BokkyPoobah directory. This closely matches the ./jbaylina with a few intersting differences. @rodney757 verified BokkyPoobah's data to produce `multisig_rescue_wallets_filtered.csv` see his README.md in ./rodney757 . @Lefterisjp included an independent analysis which is currently underway. Please see his README.md in ./lefteris. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiveth%2Fwhgbalanceverification","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiveth%2Fwhgbalanceverification","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiveth%2Fwhgbalanceverification/lists"}