Parity knew about wallet bug in August - still no fix for frozen funds

Developers knew about the bug and had flagged a fix to be deployed at an unspecified time in the future

Parity Technologies, the cryptocurrency wallet software maker, has admitted that it knew about the bug that led to about $170 million worth of Ethereum cryptocurrency being frozen and inaccessible months ago - it just hadn't fixed it.

Earlier in November, a user known as devops199 was able to take ownership of a particular piece of code (the ‘library' smart contract, a shared component amongst all Parity multi-sig wallets) and then destroy it. Whether this was done purposefully or not has not been established.

The effect of that action was to block the contents of 587 wallets holding a total of ETH513,774.16, Parity has said in a post-mortem blog of the incident.

The issue only affected wallets created on or after the 20th July, due to the use of new code. This code, written to be as similar as possible to the original ‘stub' smart contract deployed with each new wallet, had the same functionality as a regular wallet and contained the self-destruct function.

Parity says that it was warned about the issue (of someone being able to take control of its library contract) in August. The developers acknowledged the bug and flagged it to be fixed ‘at a future point in time':

‘In August, a Github contributor called ‘3esmit' recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement. Thus, we committed this proposed enhancement to the library contract that would automatically initialise it by calling initWallet on construction. Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time.'

The company went on to examine the ways in which the exploit could have been prevented (cold comfort at this point, we're sure): ‘There are essentially two main ways this exploit could have been avoided. If the contract code had not included the functionality to suicide or kill, even if someone had taken ownership, they would not have been able to do anything. The kill functionality was a remainder of the original audited contract. The other way would have been for the wallet initialisation to have been done as proposed by 3esmit, either automatically through the code change and re-deployment or manually on the contract deployed in July.'

Parity ‘deeply regrets' the situation and says that it is working to unlock the frozen funds. However, at this point it has no fix for the issue. It is considering several Ethereum improvement proposals and has stopped issuing multi-sig wallets; the firm is also carrying out a security audit of its existing sensitive code.