On Tuesday, hundreds of millions of dollars’ worth of Ether, the digital token of the Ethereum blockchain, was frozen on a cryptocurrency wallet because one individual “accidentally” triggered a bug.
Parity, a cryptocurrency wallet provider, said in a security alert that it had discovered a “vulnerability” in its wallet library contract of the standard multi-sig contract that allowed users to change the code and become the owners of wallets that didn’t belong to them. The company said that one person “suicided” the wallet, deleting its code and freezing all Ether tokens contained within.
Parity Tech has informed that users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July have been affected. “We are analyzing the situation and exploring all possible implications and solutions,” Parity said in the security alert.
Parity revealed that, while fixing a bug that let hackers steal $32m out of few multi-signature wallets in July, it had unknowingly introduced a new vulnerability into its systems that allowed one user to become the sole owner of every single multi-signature wallet – It became possible for the vulnerability to turn the Parity Wallet library contract into a regular multi-sig wallet.
According to them, this vulnerability was triggered accidentally on Tuesday and subsequently, a user deleted the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable and funds were frozen since their logic was inside the library.
Parity has not disclosed the amount of the currency frozen, but as per the estimation by French hacker Matt Suiche, there could be 1 million in ether locked away, which amounts to about $280 million.
For those unaware, Ethereum is the second biggest cryptocurrency, behind Bitcoin, providing a cryptocurrency token or virtual coins called “ether.” Parity Technologies is a large provider of cryptocurrency wallets and used by many to interact with the Ethereum blockchain.
Who Did it?
The bug was triggered by a user who goes by the handle devops199 on the developer forum GitHub, while he was looking through the Parity code for ways that it could be exploited.
🍿🍸😬 😬 pic.twitter.com/lKV7Hm4rD7
— MyEtherWallet | MEW (@myetherwallet) November 7, 2017
Parity has warned users not to open new multi-signature wallets, or transfer ether “to wallets that have been deployed and are in use already,” until the issue has been resolved. However, this development highlights the underlying security issue that affects the wallets and their users.