Between $150 million and $300 million in digital currency called ether remains inaccessible today after a user said he “accidentally” triggered a vulnerability that froze the funds in the popular Parity wallet.
Parity Technologies issued an advisory warning users about the flaw in the Parity Wallet library contract affecting users with assets in a standard multi-sig contract deployed after July 20, one day after the original bug in this saga had been patched. Parity said in its advisory:
“However that code still contained another issue—it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
Researcher Matt Suiche of Comae Technologies said in a post that the user in question who goes by the handle devops199 was able to first take over the library and then kill it; the library was used by all multisignature wallets created after July 20.
“The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized,” Suiche wrote. “Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts.”
In a report published on CoinDesk.com, Ethereum Foundation head of security Martin Holst Swende said that the funds can only be accessible following a hard fork of the ethereum blockchain via an emergency update.
Parity Technologies operates independently of the Ethereum Foundation.
The July 19 bug was devastating as well. About $30 million in ether was stolen from a Parity wallet after attackers exploited a vulnerability in the software. Parity said three wallet addresses had been compromised and advised users to immediately move assets in the affected wallet to a secure address.
That’s not the case this time around since no funds can be moved out of the wallets.
“We are analyzing the situation and will release an update with further details shortly,” Parity said yesterday.