$150 Million Worth Of Ethereum Reportedly Frozen Due To Parity Wallet Vulnerability

If you recently jumped on the Ethereum bandwagon, you might want to sit down for this news. A security vulnerability has been discovered in the Parity wallet service deployed by Parity Technologies.

According to a security alert issued by Parity Technologies today, the vulnerability was found within the standard multi-signature (multi-sig) wallet update that was deployed with the Parity Wallet back on July 20th. A multi-sig setup requires that more than one key be used to both initiate and broadcast ETH transactions.

ethereum

What's astounding is the July 20th update was rushed into place after another exploit earlier in the month resulted in roughly $30 million in ETH being stolen from wallets. For its part, Parity Technologies explains:

That code still contained another issue - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

Although we don't have a concrete number on the how many Parity wallets deployed after July 20th are affected, UCL cryptocurrency expert Patrick McCorry estimates that somewhere around $150 million in ETH is frozen at this time.

The person that discovered the vulnerability, a developer named devopps199, likened the current situation to money locked away in a bank vault:

The big problem now is figuring out how to unlock or "unfreeze" the funds and how to prevent such an occurrence from happening. Regardless, it's incidents like this that have caused banking executives like JPMorgan Chase CEO Jamie Dimon to say that cryptocurrencies aren't "a real thing" and that they will eventually be shutdown.


Via:  CoinDesk
Show comments blog comments powered by Disqus