More ETH Troubles: Someone Triggered a Bug That Has Frozen Over 280 Million in Ethereum
Remember the Ethereum hack back in July that helped hackers steal $32 million? Well, no one is going to blame you for not recalling that particular story since the past four months have been all about hackers making money in Ethereum by exploiting security flaws. The July incident saw a hacker make millions by exploiting a security flaw in Parity, an Ethereum wallet client.
Now someone has triggered a critical security vulnerability in Parity multi-sig wallet paralyzing wallets created after July 20th. The "280 million bug" as it is being called was accidentally triggered according to the company and has resulted in freezing over $280 million in Ether - $90 million of which belong to Parity’s Founder, Gavin Woods.
In a security advisory, the company said that currently no funds can be moved out of the multi-sig wallets due to this issue that was actually a part of the fix that was released to patch up the original multi-sig issue exploited in the July hack
Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
A user named devops199 has claimed responsibility for triggering this bug and reported it through a GitHub ticket.
In July, the company's coding error had enabled hackers to steal $32 million in ETH and Parity appears to be at the center of more similar issues that may have affected thousands of users as the latest problem affects all the multi-sig wallets deployed after July 20. The company is yet to disclose how many were affected.
"We are still working on the final number and do not want to release any speculative figures. No ether has been stolen."
The problem is centered on how a Parity multi-sig wallet operates like a smart contract where a wallet owner could turn a normal wallet into a multi-sig wallet, taking ownership of it.
Parity likely did not think of their wallet as a classic contract. Their code is in a library, and they delegatecall to execute it directly.
— Dan Guido (@dguido) November 7, 2017
Multi-sig wallets are supposed to be more secure carrying an extra layer of security as they require multiple signatures before confirming transactions. These wallets are popular with companies as they assign multiple employees to accounts and use them for ICOs and other purposes. It is likely that most affected wallets will be of firms and not individual users.
The Web3 Foundation has confirmed that its account is one of those affected. The firm was using the account to raise funds for a blockchain network, Polkadot. "The multi-sig used by the Web3 Foundation to accept contributions for Polkadot was one of those affected, putting the ETH in it beyond access," the firm wrote. "The affected multi-sig wallet does not contain all of the Web3 Foundation’s funds; our ability to build Polkadot as planned and to the original timetable has not been affected."
Parity is currently looking into ways to unfreeze the funds. "We are analyzing the situation and will release an update with further details shortly," the company promised. The news has resulted in ETH dropping from $305 to $291 and the person who accidentally triggered is worried if they will be arrested for this.