Makers of the Parity multi-sig Ethereum wallet have announced a critical vulnerability that has led to millions of dollars of funds being frozen. It is the second flaw to be discovered following the original Parity breach in July that led to $30 million of ether being stolen.
Parity Discovers Second Flaw in Five Months
Users of the popular Parity Ethereum wallet have been left reeling after its developers revealed the discovery of a security flaw. The threat, which has been described as “critical”, renders all multi-sig contracts unusable and has locked up hundreds of millions of dollars of ether. The news couldn’t have come at a worse time for Parity, which has been battling to restore its reputation following July’s embarrassing hack which led to at least 150,000 ethers being stolen. The original theft would have been worse were it not for the actions of white hat hackers who helped to recover an additional 377,000 ethers.
Following the hack, Parity issued a fix for the exploit, deploying a new library contract that was meant to resolve the issue. It’s now transpired that the new code contained another flaw which enabled the library contract in the Parity Wallet to be converted into a regular multi-sig wallet. As a consequence, an individual was able to use the initWallet function to take ownership of the wallet.
Multi-Sig Funds Frozen
In a blog post explaining the latest flaw, the Parity team stated:
It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
The post concludes by stating: “This means that currently no funds can be moved out of the multi-sig wallets.” $152 million in ether is believed to have been frozen following today’s news, with companies including Polkadot reporting that they have been unable to access their funds.
A number of high profile companies lost ether during the multi-sig hack which took place around July 19th. Among them were Aeternity, Edgeless Casino and Swarm City, the latter losing over 44,000 ethers alone. While there are no confirmed reports, as yet, of users’ funds being stolen on this occasion, these are worrying times for a company who boast that their wallet client “powers much of the infrastructure of the public Ethereum network”.
The company have moved to discredit reports circulating on social media that funds have been stolen again on this occasion, describing talk of stolen ether as “speculative”. The phrase “to the best of our knowledge” is unlikely to inspire confidence in customers who may be affected by the vulnerability however. Parity are currently investigating the matter and have promised to publish another update shortly.