Parity multi-signature wallets created since July break, affecting 1M ETH.
As a result, 1 million ETH have become frozen in walletsâroughly $280 million (US) worth of digital currency. Of that, about $90 million belongs to Parity founder and former Ethereum core developer Gavin Woods’ Initial Coin Offering (ICO) Polkadot, according to Tuur Demeester, editor in chief at Adamant Research.
Critical Parity bug leaves +$150M in $ETH frozen, including $90M of Gavin Woods’ Polkadot ICO. Cue clamoring for new hard-fork bailout… https://t.co/loIkQmnuXz
â Tuur Demeester (@TuurDemeester) November 7, 2017
The bug specifically affects multi-signature wallets created with a digital contract after July 20. Multi-signature wallets have cryptographic security measures that require multiple users to sign a transaction in order for it to be processed and approvedâan approach that allows for escrow contracts to control payments from accounts belonging to a group.
By calling a function from within Parity’s wallet library, a wallet owner could turn a normal single-owner wallet created with Parity’s wallet contract library code into a multi-signature wallet and take over ownership of it. That bug in the code would allow someone to kill contracts between any created with the most recent Parity code libraryâand that is exactly what happened. Someone managed to invoke the code as part of a wallet and made themselves part of every multi-signature contract created since the bug was introduced into the code. The user then “suicided” the wallet and, in the process, disabled all the multi-signature contracts that had been created since July 20 by making them “suicide” as well.
In a security blog post, a Parity spokesperson wrote:
It would seem that issueÂ was triggeredÂ accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a userÂ suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
Parity is still investigating how to correct the problem.
The individual who triggered the lockdown claims to be new to Ethereum and expressed concern about what would happen to him in a forum:
đżđ¸đŹ đŹ pic.twitter.com/lKV7Hm4rD7
â MyEtherWallet.com (@myetherwallet) November 7, 2017
Security researcher Andrea Shepard compared the impact to what happened when a popular Node.js library was pulled from the npm registry, breaking thousands of Web applications in the process.
“It’s literally leftpad all over again,” she tweeted, “but with large amounts of money.”