Parity's $280m Ethereum wallet freeze was no accident: It was a HACK, claims angry upstart

And we have evidence to prove it, says biz stiffed out of $1m

currency

A crypto-currency collector who was locked out of his $1m Ethereum multi-signature wallet this week by a catastrophic bug in Parity's software has claimed the blunder was not an accident – it was "deliberate and fraudulent."

On Tuesday, Parity confessed all of its multi-signature Ethereum wallets – which each require multiple people to sign-off transactions – created since July 20 were "accidentally" frozen, quite possibly permanently locking folks out of their cyber-cash collections. The digital money stores contained an estimated $280m of Ethereum; 1 ETH coin is worth about $304 right now. The wallet developer blamed a single user who, apparently, inadvertently triggered a software flaw that brought the shutters down on roughly 70 crypto-purses worldwide.

That user, known as devops199 on GitHub although has since deleted their account, claimed they created a buggy wallet and tried to delete it. Thanks to a programming blunder in Parity's code, that act locked down all wallets created after July 20, when Parity updated the multi-signature wallet software following a $30m robbery.

failure

Parity calamity! Wallet code bug destroys $280 MEEELLION in Ethereum

READ MORE

One of those now-frozen Ethereum wallets belongs to Cappasity, a startup an online marketplace for AR and VR 3D models. It says it had 3,264 ETH in the knackered Parity money store, worth about $1m at current prices, and isn't likely to get the funds back any time soon. Cappasity amassed the Ethereum from punters buying ARtokens, which can be exchanged for designs when the souk launches later this year. The biz still has access to the Bitcoins it received for ARtokens.

Now Cappasity has alleged the wallet freeze was no accident: someone deliberately triggered the mass lock down, we're told, and there's evidence to prove it. By studying devops199's attempts to extract and change ownership of ARToken’s and Polkadot’s smart contracts, it appears the user was maliciously poking around, eventually triggering the catastrophic bug in Parity's software

"Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate," said Cappasity's founder Kosta Popov in a statement this week.

"When you are tracking all their transactions, you realize that they were deliberate... Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking. We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step."

This rather gives a lie to the idea that this was a one-off accident. Instead it looks as though devops199 was deliberately trying to break the multi-sig system and took a number of tries to do so.

While the Ethereum in the wallets is untouched, it's simply not accessible. Parity has yet to issue an update on its progress to recover the currency, and did not reply to requests for comment today. That's not making customers like Cappasity very happy. If someone calls the cops on this, quite how the police would handle the case is unclear, given the current levels of tech cluelessness displayed by law enforcement on matters technical. So don’t hold your breath on a speedy resolution. ®


Biting the hand that feeds IT © 1998–2017