Parity was Warned in August About Bug that Froze Over 500 Wallets

Published on 20 November 2017 by Cryptovest Staff

It turns out that Parity was given a heads-up by a GitHub contributor about the bug which ended up freezing over $280 million in Ethereum earlier this month.

Parity, a provider of multisignature Ethereum wallets over a smart contract, admitted last week that it had been warned of the possibility of the attack that it suffered when Github user devops199 accidentally killed the contract.

"In August, a Github contributor called ‘3esmit' recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement. Thus, we committed this proposed enhancement to the library contract that would automatically initialize it by calling initWallet on construction. Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time,” said Parity.

The bug rendered 587 wallets unusable, created on or after July 20, when user devops199 wiped the library containing the logic by which they function, without apparent malicious intent. The developers knew about the bug and planned to fix it at a later time, but unfortunately, by November 7, it was too little, too late.

At this point, Parity appears focused on preventing other attacks like these from happening again.

"There are essentially two main ways this exploit could have been avoided. If the contract code had not included the functionality to suicide or kill, even if someone had taken ownership, they would not have been able to do anything. The kill functionality was a remainder of the original audited contract. The other way would have been for the wallet initialization to have been done as proposed by 3esmit, either automatically through the code change and re-deployment or manually on the contract deployed in July," they said.

As of right now, users of Parity’s services who have opened a multisig wallet since July 20 are still unable to access their funds, and we have no word on whether or not this situation will change shortly.

On their blog, they say they are working hard on the situation by submitting “Ethereum improvement proposals” in hopes that they will be able to unblock funds.