Parity Wallet Struck Again by Critical Vulnerability

Parity multisig wallets again revealed a critical vulnerability, locking in thousands of Ethereum and affecting the funds of Polkadot ICO.

The Parity wallet team has released a Security Alert for multisig wallets deployed after July 20, 2017. The level of the alert is "critical", after a hacker disabled the code protecting the wallets. 

A hacker called devops199 called a function to kill the smart contract after discovering the vulnerability:  

 

The hacker exploited the logic of a smart contract, which was deployed as a fix to the July 19 vulnerability. It is still unclear if the killing of the smart contract was made with malicious intent, but the damages may be serious. 

 

Currently all Parity multisig wallets have been closed, locking in an unknown amount of Ethereum and freezing the Polkadot ICO. The representatives of Polkadot stated that: 

The Foundation has not yet understood the sequence of events leading to the user’s suicide call to the contract library, but we are making all efforts to evaluate them, the ramifications and any possible solutions.

The code library wiped out by the ethical hacker was a form of a smart contract. This means the wallets are unresponsive. Multisig wallets usually use two or three private keys to be unlocked. At this point, there is little information on how the funds would be unlocked, once the smart contract has been destroyed. 

There is a possibility that the only way to unfreeze the funds is to fork the Ethereum network and roll back the changes. This happened in the case of the DAO, where a faulty smart contract led to losses and the blockchain forked into Ethereum and Ethereum Classic.

The issue raised criticisms in the cryptocurrency community, once again revealing that smart contracts are not miraculous, but may hold unknown vulnerabilities in their logic, which are not always immediately noticed.