Ethereum is no stranger to coding crises and wallet mishaps; remember the bug back in July that allowed $30 million of Ether to be stolen from a popular Ethereum wallet client? Well it has happened again, and to the same Parity wallets that were compromised earlier this year.
A vulnerability resulted in the freezing of money in all Parity multi-signature wallets deployed after July 20th when a developer ‘accidentally’ hit a vulnerable patch of code. Some estimates are as high as $280 million in Ether that can no longer be accessed or used by Parity users.
The company has been battling to recover its reputation from a previous code breech which allowed hackers to steal 150,000 ETH in July. The original embezzlement would have been a lot worse were it not for the actions of white hat hackers who helped to recover an additional 377,000 ETH.
Following July’s hack the company issued a patch for the exploit deploying a new library contract with the intention of fixing it. The new code contained another flaw which converted the wallet to a multi-sig wallet which can have ownership taken over.
The parity team made this blogpost to explain the situation:
“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
The company went on to state that no funds can be moved out of the multi-sig wallets and $152 million in Ether is believed to have been frozen.
Memories still linger from Ethereum’s darkest days of the DAO attack last year which resulted in the theft of $60 million of Ether. This exploit does not affect Ethereum as a whole but it has raised security concerns amongst the community. Fingers are now being pointed at the security of Ethereum and its smart contract coding language, Solidity. Some serious questions will be asked and it is likely that Parity could lose a large portion of its customers, if they ever get their crypto back.