Post Now

Digital Currency Ether Worth More than $150 Million Remains Frozen

Image

Between $150 million and $300 million in the digital currency called ether remains inaccessible after a user “accidentally” triggered a vulnerability that froze the funds in the popular Parity wallet.

In Capsule:

  1. A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found
  2. Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July got affected.
  3. More than $150 Million worth digital currency remains inaccessible.
Between $150 million and $300 million in the digital currency called ether remains inaccessible after a user “accidentally” triggered a vulnerability that froze the funds in the popular Parity wallet.Parity Technologies issued an advisory warning user about the flaw in the Parity Wallet library contract affecting users with assets in a standard multi-sig deal deployed after July 20, one day after the original bug in this saga had patched.Parity Technologies operates independently of the Ethereum Foundation.Parity said in its advisory:We very much regret that incident has caused a great deal of stress and confusion amongst our users and the community as a whole, especially with all the speculation surrounding the issue. We continue to investigate the situation and are exploring all possible implications and solutions.Following the fix for the original multi-sig vulnerability that had exploited on 19th of July, a new version of the Parity Wallet library contract deployed on 20th of July. Unfortunately, that code contained another vulnerability which was undiscovered at the time - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It is our current understanding that this vulnerability was triggered accidentally on 6th Nov 2017 02:33:47 PM +UTC. Subsequently, a user deleted the library-turned-into-wallet, wiping out the library code which in turn executed all multi-sig contracts unusable and funds were frozen since their logic (any state-modifying function) was inside the library.”The July 19 bug was destructive as well. About $30 million in ether was stolen from a Parity wallet after attackers exploited a vulnerability in the software. Parity said three wallet addresses had been compromised and advised users to immediately move assets in the affected wallet to a secure address.All dependent multi-sig wallets that were deployed after 20th July functionally now look as follows:contract Wallet { function ( ) payable {      Deposit(...)    }}This means that currently no funds can be moved out of the multi-sig wallets.If any of the user concerned about whether their wallet has been affected, please visit the link that created Parity Technologies to provide a list of affected accounts.