Ethereum user accidentally exploits major vulnerability, locks wallets

Wallets are frozen while Parity works on a solution.
Written by Charlie Osborne, Contributing Writer
CC Bkchain

An Ethereum user has unwittingly exploited a major wall in Parity wallets which has locked users out of their accounts, potentially freezing millions of dollars' worth of the cryptocurrency.

In a security advisory last night, Parity -- the makers of wallet software used to store and trade Ethereum -- said the "critical" issue impacts multi-sig wallets.

Multi-sig wallets have been frozen which are estimated to hold roughly $150 million in Ethereum.

The company said the vulnerability exists in the Parity wallet library contract of the standard multi-sig contract and was "found" by a user.

The bug was indeed found, albeit by complete accident.

"It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library," Parity says.

An Ethereum user called devops199 said he was able to make himself the owner of a contract which he later "killed" by accident by removing a critical element of library code, which in turn made Parity multi-sig wallets tied to the contract unworkable -- locking up the funds.

Devops199 explained:

"I'm not the owner of that contract. I was able to make myself the owner of that contract because it's uninitialized. These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address.

I made myself the owner of "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" contract and killed it and now when i query the dependent contracts isowner() they all return TRUE because the delegate call made to a died contract.

I believe someone might exploit."

If traders are able to exploit the Parity wallet contracts to become owners of multi-sig wallets this is a vulnerability which could cause havoc for cryptocurrency trading.

Some Reddit users have suggested that the act was malicious, but in an interview, Devops199 said that he was researching an article based on a former Parity wallet compromise and "I'm walking randomly because I'm a newbie, I even don't know how to code."

In order to prevent the public bug from being used to steal wallets or funds, Parity has frozen dependent multi-sig wallets that were deployed after July 20 until a solution is found.

The vulnerability follows an issue in Parity wallets which was exploited in July this year. Versions 1.5 and below of the wallet contained a bug which allowed attackers to hijack wallets and steal funds, leading to approximately $30 million in Ethereum being taken.

Researchers drained wallets and held funds for users while fixes were applied to stem the flow of theft.

How blockchain technology can transform our world

Previous and related coverage

Hackers strike ethereum again, slink away with over $30 million

The cryptocurrency has been dealt another serious blow with the second high-profile theft of the week.

US decrees some ethereum trading is bound by securities law

The ruling could have serious knock-on effects for ICOs in the future.

Enigma ethereum marketplace hijacked, investors duped by phishing scam

The platform's compromise resulted in the loss of close to $500,000 in cryptocurrency.

Editorial standards