A regular GitHub user accidentally triggered a flaw Ethereum Parity Wallet that locked up $280 million in Ether

Pierluigi Paganini November 08, 2017

A GitHub user accidentally triggered a flaw in the Parity Wallet library contract of the standard multi-sig contract that locked up $280 million in Ether.

Ethereum made again the headlines, someone has accidentally triggered a vulnerability in the popular Parity Wallet that locked up $280 million in Ether, including $90 million raised by Parity Technologies’s founder Gavin Woods.

The huge amount of money from dozens of Ethereum wallets operated by the Smart contract coding startup Parity Technologies the was permanently locked up.

It has been estimated that Parity wallets constitute roughly 20% of the entire Ethereum network.

Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced the incident that was caused by a severe vulnerability in its “multisignature” wallets created after this July 20.  Owners of the affected wallets will be not able to move their funds.

” A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.” reads the announcement.

“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

The vulnerability was triggered by a regular GitHub user, “devops199,” who allegedly accidentally removed a critical library code from the source code, this operation turned all multi-sig contracts into a regular wallet address with devops199 as its owner.

Devops199 then killed the wallet contract, making all Parity multisignature wallets tied to that contract useless, and locking up their funds.

“These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at “0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4″ address,” devops199 explained on GitHub.

“I made myself the owner of ‘0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4’ contract and killed it and now when I query the dependent contracts ‘isowner(<any_addr>)’ they all return TRUE because the delegate call made to a died contract.”

Ethereum Parity Wallet

In July, an unknown hacker has stolen nearly $32 million in funds from Parity multisignature wallets, the attacker triggered a vulnerability to compromise at least three accounts and steal nearly 153,000 units of Ether.

Parity released on 20th of July, a new version of the Parity Wallet library contract that addressed the flaw, but the code was still affected by another issue that allowed the devops199 user to turn the Parity Wallet library contract into a regular wallet.

Parity immediately froze all affected multi-sig wallets while working to fix the problem, it plans to provide further details shortly.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Parity Technologies, Ethereum Parity Wallet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment