The 500,000 ETH that had been frozen, when an alleged "novice" user accidentally deleted code in the Parity wallet rendering all Parity multi-signature wallets unusable, remain inaccessible. In current Ethereum market price, these funds equal to more than USD 280 million.
As JustCryptoNews.com has reported, on November 7, the issue concerns the second most popular Ethereum wallet, Parity. A crucial part of the software has been exploited -although by accident- rendering half a million of Ether stored in multi-signature wallets unusable.
What Multi-Signature Wallets Are
A multi-signature wallet is a smart contract designed to manage cryptocurrencies and crypto assets by multiple wallet owners. This kind of wallet has more features than ordinary wallets. For instance, it allows users to set daily withdrawal limits, vote for withdrawals, and vote for ownership changes. As a result, a multi-signature wallet offers enhanced security. If one the account of a wallet owner is compromised, owners retain control of their money.
Due to their security features, multi-signature wallets usually contain a lot of funds and are used by startups, ICOs or large organizations to prevent members or employees from stealing funds.
How The Hack Happened
Parity Technologies explained the circumstances of the exploit, saying that there was a bug in their code which allowed a user to "turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function." That bug was triggered on November 6, and "subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable."
The vulnerability has affected all Parity multi-signature wallets launched after July 20, 2017. On that day, Parity had been updated to close a previously discovered bug that enabled hackers to steal over $30 million of Ether from wallets.
Accident or a Hack?
A GitHub user, called devops199, took responsibility for the new exploit stressing that it was by accident. Posting on the Github issue about parity hack, the user explained he was trying random commands that managed to kill multi-sig wallets which he was not the owner. He made himself owner of the library contract (a vital piece of code, as Parity explained above) and then executed a ‘kill’ function that deleted it. As a result, all multi-sig wallets were frozen. Nevertheless, it is yet not clear that the user was not malicious.
At the moment of writing, more than 500 wallets have been reported to be affected, but their balance is unknown.
The Funds Are There - But How They Will Be Recovered?
The funds inside these multi-sig wallets are untouched, but at the same time they are inaccessible. And it seems improbable that a solution will be found soon.
On a recent update, Parity Technologies said that its developers are working full-time on the issue:
On the linked announcment, the company points out that "it is too early to decide on a fixed solution" but mentions a solution devised earlier by Ethereum's Vitalik Buterin (EIP156). According to Parity Tech that Buterin's method "has been discussed for a significant time and has drawn support from various directions in the community". As expected, Parity states that:
"The team is working on a broadly accepted solution that will unblock the funds."
But the reality is that a solution has not been published yet.
Parity has also issued a statement warning users not to create multi-signature wallets:
"We are advising users not to deploy any further multi-sig wallets until the issue has been resolved , and to not send any ether to wallets that have been deployed and are in use already. "
Hard Fork or Not?
At the same time, a lot of speculation is going on as to whether a hard fork is required or not to fix the problem. Some have suggested that a hard fork is indeed the only way to fix the problem. This is because Ethereum smart contracts are immutable and there is no provision to recreate code.
Martin Holst Swende, head of security for the Ethereum Foundation, confirmed that a hard fork of the Ethereum blockchain is required. He sait that there is “no way to recreate the code without a hard fork” and emphasized that “any solution which makes the locked funds accessible requires a hard fork."
However, the community seems divided on the issue as a lot of users are opposing yet another hard fork.
Parity Reputation Damaged
The reputation of Parity suffered a lot from the new exploit. It had only been six months since the last hack in July, and the new exploit is even more severe than the last one. Add to that the fact that the exploit was made possible due to yet another "issue" on the library contract (Parity's own code) and you get the picture.
Let's hope it will all end soon and Parity will emerge stronger than before.