Coding error freezes up to $280 million worth of Ethereum cryptocurrency
Ethereum’s multisignature users may have permanently lost access to an estimated $280 million in funds when a developer accidentally deleted the code library of Parity Technologies while trying to fix a flaw to stop hackers from stealing funds from several multi-signatory wallets. What is ironic is that the accidentally deleted code was a fix for a previous issue found during a hack in July that saw hackers stealing $32 million from Parity’s Ethereum wallets.
For those unaware, Ethereum, the second biggest cryptocurrency after Bitcoin, provides a cryptocurrency token or virtual coins called “ether”, which can be transferred between accounts. On the other hand, Parity Technologies is a large provider of cryptocurrency wallets and used by many to interact with the Ethereum blockchain.
Parity issued a critical security alert on Tuesday warning of a vulnerability in the Parity Wallet library contract. The coding “accident” has affected all of Parity’s multisignature wallets, which require one user to sign another’s transaction before it is added to the Ethereum blockchain that were created after July 20th.
Apparently, a user on the developer forum GitHub, who goes by the handle “Devops199,” discovered that the shared library code was not properly secured because the owner was not yet assigned. Devops199 “accidentally” triggered a function that turned the contract governing Parity multisignature wallets into a regular wallet address and made him or her the sole “owner” of all the post-July 20 multi-signature wallets. After realizing this, when the Devops199 tried to “kill” this wallet contract, it ended up permanently deleting the shared library code from the Ethereum blockchain. In other words, because of the deletion, all the other multi-signature wallets that use this shared library code could no longer call into it and transfer funds out of the wallets, rendering them inaccessible.
Parity explains, “It would seem that issue was triggered accidentally 6th Nov 2017 and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
In theory, the funds have not gone missing or been stolen, and Parity said it is looking for a solution. It expressed regret over the “great deal of stress and confusion” the incident had caused.
“Parity Technologies would like to assure everyone that we are analyzing the situation. We are still working on the final number and do not want to release any speculative figures. No ether has been stolen,” the company said in a statement.
It also warned users not to open new multisignature wallets, or transfer ether “to wallets that have been deployed and are in use already,” until the issue has been resolved.
However, it is not yet clear whether Parity has been able to rectify the mistake.
Source: Motherboard
