Millions of dollars frozen by Ethereum code bug

Issue locks up multi-sig wallets

A major vulnerability has been found within Ethereum, the public blockchain platform used to host many cryptocurrencies, which has led to as much as $280 million being frozen and made inaccessible.

Parity Technologies says that new code released on the 19th July - to fix another bug, ironically - was found to be vulnerable:

‘It was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.'

Effectively, this means that all multi-signature wallets deployed after the 20th July are (for now) unusable. Parity tweeted that the funds have been frozen, rather than wiped.

https://twitter.com/ParityTech/status/927887949219487744?ref\\_src=twsrc%5Etfw

Multi-sig wallets require the consent of multiple parties before transactions can be approved. They are popular with startups and other collective groups due to their additional security, and are also a common way to store money raised through initial coin offerings (ICOs). Because of this, multi-sig wallets tend to store high amounts of virtual cash.

While the amount of money affected has not been announced, some sources estimate that it could be as much as 20 per cent of the entire Ethereum network.

Dominic Williams, founder of self-governing blockchain computer DFINITY, told us:

"The Parity vulnerability was the result of an incorrectly-coded smart contract used by the Parity wallet to store tokens on the Ethereum network. The vulnerability made it possible for anyone to ‘freeze' the tokens held by that smart contract, making them immovable. At this time, the only method we are aware of to ‘unfreeze' tokens held by the vulnerable smart contract would be to create a new ‘hard fork' Ethereum client that deploys a fix. This would require every full node on the Ethereum network to upgrade by the date of the hard fork to stay in sync, including all miners, wallets, exchanges, etc."

Williams added that a self-governing system like DFINITY would not require every node on the network to deploy a manual fix, but could update itself autonomously.