According to a security alert issued by Parity Technologies today, the vulnerability was found within the standard multi-signature (multi-sig) wallet update that was deployed with the Parity Wallet back on July 20th. A multi-sig setup requires that more than one key be used to both initiate and broadcast ETH transactions.
What's astounding is the July 20th update was rushed into place after another exploit earlier in the month resulted in roughly $30 million in ETH being stolen from wallets. For its part, Parity Technologies explains:
That code still contained another issue - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
Although we don't have a concrete number on the how many Parity wallets deployed after July 20th are affected, UCL cryptocurrency expert Patrick McCorry estimates that somewhere around $150 million in ETH is frozen at this time.
Update: Two duplicates found in list. Over $150m locked and 616k ether.— Paddy [blockchain] (@paddyucl) November 7, 2017
The person that discovered the vulnerability, a developer named devopps199, likened the current situation to money locked away in a bank vault:
It's simple really, imagine walking up to a bank vault and there's a button that says "Lock Forever"....... someone accidentally pushes it.— devops199 (@devops199) November 7, 2017
The big problem now is figuring out how to unlock or "unfreeze" the funds and how to prevent such an occurrence from happening. Regardless, it's incidents like this that have caused banking executives like JPMorgan Chase CEO Jamie Dimon to say that cryptocurrencies aren't "a real thing" and that they will eventually be shutdown.