Parity shakes up wallet audits, but funds remain frozen

After a user accidentally stole and froze funds in over 500 wallets, a solution is yet to be found.
Written by Charlie Osborne, Contributing Writer

Parity has temporarily disabled multi-sig functionality in the firm's wallets following the accidental freeze of millions of Ether, but there is still no word on how users are going to recover their funds.

On Wednesday, the developers of the Parity wallet -- used to store and trade cryptocurrency including Ethereum (ETH) -- said that an investigation into an incident leading to the loss of user Ethereum has resulted in a planned overhaul of the wallet's infrastructure and implementation.

On 6 November, Ethereum user devops199 said he had "accidentally" made himself the owner of a contract, which in turn, made him the owner of wallets connected to the contract.

Devops199 then, perhaps, panicked and wiped out a critical element of library code that froze all of the multi-sig Parity wallets connected to the contract.

The user explained:

"I'm not the owner of that contract. I was able to make myself the owner of that contract because it's uninitialized. These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address.

I made myself the owner of "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" contract and killed it and now when I query the dependent contracts "isowner()" they all return TRUE because the delegate call made to a died contract."

However it happened, the action has blocked the funds of 587 wallets containing 513,774.16 Ether, as well as other cryptocurrencies, equating to over $160 million at the time of writing.

In a blog post, Parity said that a vulnerability in the library code allowed the deletion to occur, although an audit of the wallet software has uncovered no further vulnerabilities.

The original multi-sig wallet code was created and audited by the Ethereum Foundations' dev team, Parity, and others. However, a few changes were later made, and following an attack in July in which a cyberattacker exploited a vulnerability in the wallet and made off with roughly $30 million in ETH, the library contract was fixed and deployed.

"In August, a Github contributor called 3esmit recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement," Parity added. "Thus, we committed this proposed enhancement to the library contract that would automatically initialize it by calling initWallet on construction.

"Interpreting the recommendation as enhancement the changed code was to be deployed in a regular update at a future point in time," the company said. "[...] devops199 identified the uninitialized owner in the contract deployed in July and chose to initialize it, thereby setting themselves as the owner; subsequently, devops199 chose to kill the library contract."

If the kill function had not been included, even if ownership had been taken, the funds would not have been frozen. In addition, if 3esmit's recommendations had taken place sooner, the disaster would have been avoided.

Hindsight is a wonderful thing, but now it is up to Parity to do what it can to try and unfreeze funds and restore user confidence.

"We deeply regret the situation and we are working hard on several Ethereum improvement proposals (EIPs), both contributing to previously existing ones and suggesting new ones that have the potential to unblock funds. These improvement proposals will also address general cases of blocked funds."

Users awaiting their Ethereum will have to wait a little longer as there is no timeline for improvements or the unfreezing of funds -- assuming it can be accomplished.

Parity has laid out a number of changes designed to salvage the situation and the project's reputation. Among the changes are removing automatic multi-sig wallet functionality, "until we feel we have the correct security and operations procedures in place so that we can be confident this will not happen again."

In addition, Parity plans to order a full external security audit, an internal review, extend the software's bug bounty program, and develop better relationships with the research community.

How blockchain technology can transform our world

Previous and related coverage

    Ethereum user accidentally exploits major vulnerability, locks wallets

    Wallets are frozen while Parity works on a solution.

    500 million PCs are being used for stealth cryptocurrency mining online

    Your PC may be used to find cryptocurrency when you visit websites, with or without your consent.

    Hackers strike ethereum again, slink away with over $30 million

    The cryptocurrency has been dealt another serious blow with the second high-profile theft of the week.

      Editorial standards