In a vivid reminder of the risks involved for cryptocurrency investors, Ethereum slumped on Tuesday when a critical security vulnerability in multi-signature wallet belonging to London startup, Parity Technologies, was triggered on 6th November, paralyzing wallets created after July 19, and freezing tens of millions in ethereum. Parity is the same company whose coding error helped hackers steal $30 million worth of ethereum; on Tuesday, the company admitted it was facing more security problems.
So someone managed to _accidentally_ make _all_ Parity multisig wallets suicide: https://t.co/Y4XI9JrDVL— Peter Todd (@petertoddbtc) November 7, 2017
Global shared state WTF people.
Parity issued a "critical" security alert to inform its users about a bug that got "accidentally" triggered which resulted in freezing more than $280 million worth of ETH, including $90M belonging to Parity’s Founder & Ethereum former core developer, Gavin Woods. In the statement, Parity said that it had fixed the vulnerability that led to the original, July hack, but failed to catch and repair another weakness that allows users to rewrite code and take ownership of wallets that don’t belong to them. As a result, Bloomberg notes that many users found themselves unable to move funds out of their wallets because important code was deleted.
Ironically, Parity advised users not to deploy multi-signature wallets - the type impacted by the latest vulnerability - until the issue has been resolved. Multi-signature wallets are supposed to add an extra layer of security, as they require multiple verifications to confirm a transaction. The company hasn’t yet disclosed how many people have been affected.
Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.
Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
A user named devops199 claimed he triggered the bug “accidentally” and reported it through a GitHub ticket.
The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized. Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts. The event occurred in two transactions, a first one to take over the library and a second one to kill the library - which was used by all multi-sig wallets created after the 20th of July.
Among those impacted is the Web3 Foundation which is working with Parity to build a blockchain network called Polkadot. "The multi-sig used by the Web3 Foundation to accept contributions for Polkadot was one of those affected, putting the ETH in it beyond access," the firm wrote. "The affected multi-sig wallet does not contain all of the Web3 Foundation’s funds; our ability to build Polkadot as planned and to the original timetable has not been affected."
The new vulnerable contract has been deployed more than 100+ days ago on July 20th, one day after the original multi-sig vulnerability had been exploited and fixed.
The wallet contract was deployed 109 days ago yet initWallet was only called 22 hours ago, triggering the bug.https://t.co/FpVTpzTXF3— Dan Guido (@dguido) November 7, 2017
“A code has a library path. Somewhere in that path, someone removed one of the libraries. As a result, the code doesn’t work, and as a result of that, the money is frozen, which can be fixed," David Mondrus, chief executive of Trive, a blockchain-based research platform todl Bloomberg. "It does show the difference in performance and safety between hardware and software."
Contacted by Bloomberg, Parity spokeswoman Helena Flack said "We are still working on the final number and do not want to release any speculative figures."
More importantly, however, Flack said that "no ether has been stolen." That should ease the nerves of some cryptotraders who sold off Ethereum this morning when the news spread, sending the price from above $300 to the mid-$280.
As Matt Suiche concludes, "even though the vulnerable smart-contract was open source and deployed months ago, this bug managed to escape code review done by the Parity team. Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens.
We have seen a lot of enthusiasm from a lot of people about blockchain-based smart contracts, and the general assumption from users is that they would be secure. But just like any other piece of software a smart-contract can be vulnerable. All the recent security issues around smart contracts are challenging more and more the sustainability of storing money on a blockchain-based software layer.