Parity Wallet Struck Again by Critical Vulnerability

Published on 07 November 2017 by Cryptovest Staff

The Parity wallet team has released aSecurity Alertfor multisig wallets deployed after July 20, 2017. The level of the alert is "critical", after a hacker disabled the code protecting the wallets.

> Update: To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative.— Parity Technologies (@ParityTech)November 7, 2017

Update: To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative.

A hacker called devops199 called a function to kill the smart contract afterdiscovering the vulnerability:

The hacker exploited the logic of a smart contract, which was deployed as a fix to the July 19 vulnerability. It is still unclear if the killing of the smart contract was made with malicious intent, but the damages may be serious.

Currently all Parity multisig wallets have been closed, locking in an unknown amount of Ethereum and freezing thePolkadot ICO. The representatives of Polkadot stated that:

"The Foundation has not yet understood the sequence of events leading to the user’s suicide call to the contract library, but we are making all efforts to evaluate them, the ramifications and any possible solutions."

The code library wiped out by the ethical hacker was a form of a smart contract. This means the wallets are unresponsive. Multisig wallets usually use two or three private keys to be unlocked. At this point, there is little information on how the funds would be unlocked, once the smart contract has been destroyed.

> Developer: Hey Parity, anyone can kill your multi-sig contract.Parity: How do you know that?Dev: I just did it.😂😂😂😂😂😂pic.twitter.com/I0srwc70ji— Whalepool (@whalepool)November 7, 2017

Developer: Hey Parity, anyone can kill your multi-sig contract.Parity: How do you know that?Dev: I just did it.😂😂😂😂😂😂pic.twitter.com/I0srwc70ji

There is a possibility that the only way to unfreeze the funds is to fork the Ethereum network and roll back the changes. This happened in the case of the DAO, where a faulty smart contract led to losses and the blockchain forked into Ethereum and Ethereum Classic.

The issue raised criticisms in the cryptocurrency community, once again revealing that smart contracts are not miraculous, but may hold unknown vulnerabilities in their logic, which are not always immediately noticed.