About $300 million worth of Ether—the cryptocurrency unit that has become one of the most popular and increasingly valuable cryptocurrencies—from dozens of Ethereum wallets was permanently locked up today.
Smart contract coding startup Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced earlier today that its "multisignature" wallets created after this July 20 contains a severe vulnerability that makes it impossible for users to move their funds out of those wallets.
According to Parity, the vulnerability was triggered by a regular GitHub user, "devops199," who allegedly accidentally removed a critical library code from the source code that turned all multi-sig contracts into a regular wallet address and made the user its owner.
Devops199 then killed this wallet contract, making all Parity multisignature wallets tied to that contract instantly useless, and therefore their funds locked away with no way to access them.
"These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address," devops199 wrote on GitHub.
"I made myself the owner of '0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4' contract and killed it and now when I query the dependent contracts 'isowner(<any_addr>)' they all return TRUE because the delegate call made to a died contract."
Parity multisignature wallets also experienced a vulnerability in July this year that allowed an unknown hacker to steal nearly $32 million in funds (approximately 153,000 units of Ether) before the Ethereum community secured the rest of its vulnerable Ether.
According to Parity, a new version of the Parity Wallet library contract deployed on 20th of July contained a fix to address the previously exploited multi-sig flaw, but the code "still contained another issue," which made it possible to turn the Parity Wallet library contract into a regular wallet.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The vulnerability affected Parity multi-sig wallets that were deployed after July 20—meaning ICOs (Initial Coin Offerings) that were held since then may be impacted.
So far, it is unclear exactly how much cryptocurrency has disappeared due to this blunder, but some cryptocurrency blogs have reported that Parity wallets constitute roughly 20% of the entire Ethereum network.
This made researchers familiar with the space estimating around $280 Million worth of Ether is now inaccessible at this time, including $90 million of which was raised by Parity's founder Gavin Woods.
Parity froze all affected multi-sig wallets (that is millions of dollars' worth of Ethereum-based assets) as its team scrambles to bolster security. The team also promised to release an update with further details shortly.