Parity calamity! Wallet code bug destroys $280m in Ethereum
Punter 'accidentally' borks dozens of strangers' cryptocurrency collections
There's a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity's wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.
Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user calling themselves devops199 had "accidentally" triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods' own savings.
Multi-signature wallets mean more than one person has to sign off on a transaction before funds are moved, and are popular with companies and investment groups looking to protect their assets. Unfortunately, Parity's technology is seriously flawed: in July a hacker managed to exploit errors in the multi-signature code to steal about $30m in Ethereum.
In response to that cockup, Parity updated its wallet software to address the vulnerability, and rolled out a new version. However, that update contained another disastrous bug, one that would lock people out of their wallets. It was set off by devops199 on Monday, affecting anyone who had installed the new code since its release.
"That code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function," Parity's advisory stated.
"It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library."
In a series of posts on GitHub, devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update.
A full list of 70-odd affected wallets has been uploaded to Pastebin.
Parity has confirmed the above sequence of events leading to this week's catastrophe with The Register. So far there's no response on whether it will be possible to unlock the wallets, or if there are any plans to recover punters' digital dosh. We'll post more information when it becomes available.
One Ethereum coin is right now worth about $293. ®
Sponsored: Becoming a Pragmatic Security Leader