Bug in Parity Wallet Freezes Millions of Euros of Ethereum
Ethereum Wallet Parity has warned its users that a bug has frozen a group of users’ wallets, preventing transactions from being possible. It turned out to be possible to convert a library into a wallet.
According to an initial estimate, about a million ether has been affected by the bug, which translates to 258 million euros. The approximately 70 affected wallets would be found in a Pastebin file. Parity Technologies writes in a warning that so-called multi-sig wallets created after July 20 are affected by the bug. That’s because code was introduced on July 19 to patch a leak that allowed criminals to steal $27 million worth of ether.
Security researcher Matt Suiche analyzes how the bug works in a blog post. He writes that the new code could be converted in the form of a smart contract and a wallet, because Ethereum does not distinguish between contracts, libraries and accounts. A GitHub user called devops199 created a ticket to report the bug, which was related to the lack of ownership of the wallet. In the report, he said he accidentally destroyed the contract.
Suiche explains that this was possible because he designated himself as the owner of the wallet by taking advantage of the fact that the wallet had an uninitialized owner. For example, he converted the library into a multi-sig wallet. He then destroyed the wallet, freezing all other wallets that depended on the code in the library.
Parity says it is “analysing the situation” but has not released any details yet. Meanwhile, several users are calling for a hard fork to fix the problem. That also happened after a hack on The DAO. Ethereum developer Vitalik Buterin goes does not comment on the events and only says that simpler and more secure wallets are needed.