Makers of the Parity multi-sig Ethereum wallet have announced a critical vulnerability that has led to millions of dollars of funds being frozen. It is the second flaw to be discovered following the original Parity breach in July that led to $30 million of ether being stolen.
Also read: Ethereum’s Parity Users Lose Millions in a Multi-Sig Hack
Parity Discovers Second Flaw in Five Months
Users of the popular Parity Ethereum wallet have been left reeling after its developers revealed the discovery of a security flaw. The threat, which has been described as “critical”, renders all multi-sig contracts unusable and has locked up hundreds of millions of dollars of ether. The news couldn’t have come at a worse time for Parity, which has been battling to restore its reputation following July’s embarrassing hack which led to at least 150,000 ethers being stolen. The original theft would have been worse were it not for the actions of white hat hackers who helped to recover an additional 377,000 ethers.
Following the hack, Parity issued a fix for the exploit, deploying a new library contract that was meant to resolve the issue. It’s now transpired that the new code contained another flaw which enabled the library contract in the Parity Wallet to be converted into a regular multi-sig wallet. As a consequence, an individual was able to use the initWallet function to take ownership of the wallet.
Multi-Sig Funds Frozen
In a blog post explaining the latest flaw, the Parity team stated:
It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.