Friday, December 2, 2022

Parity Multisig Wallet Bug Freezes Over $153 Million Dollars in Ethereum

Parity Multisig Wallet Bug Freezes Over $153 Million Dollars in Ethereum

Yesterday a github user named “devops199” opened an issue on the Parity wallet Github repository titled, “anyone can kill your contract.” The body tersely states, “I accidentally killed it,” with a link to a proof of concept contract suicide. What happened next might be the largest loss of value on the Ethereum network to date.

Also read: India Police Bust Bitcoin-Based Drug Ring Following Calls for Regulation

Join the Bitsonline Telegram channel to get the latest Bitcoin, cryptocurrency, and tech news updates:

Parity Multisig Is More Swiss Cheese than Swiss Bank

This isn’t the first time Parity wallets have lost users millions of dollars. In July, a different exploit allowed a theft of over $31 million in tokens. This most recent vulnerability may be the most egregious, though. The vulnerability exploits a flaw in one of the underlying smart contracts of the multisig wallet, which allows any user to shut down smart contracts based on them by calling the ‘kill()’ and/or ‘destroy()’ functions in affected multisig wallets, causing any smart contracts to “suicide.”

Parity Multisig
The issue heard ’round the network.

The issue affects any wallets issued after the previous vulnerability “fix” made on July 20. Devops199 seems to have reproduced this issue in many Parity multisig hosted contracts. The running total of permanently locked funds at press time comes in at approximately $153 million (509019 Eth), putting this incident on the same scale as last year’s DAO hack, not including the value of tokens on those wallets.

Polkadot Network, ICONOMI and possibly other dApps have been affected as well, bringing the overall total of locked value from $190 to $240 million, possibly more.

Resolution Unclear After Lock

At present, the remedy to the issue remains a mystery. Many expect a hard fork away from the frozen chain, while some projects are saying the lock is only temporary. However, whether that means the contract suicides are reversible or not is unclear. While, like the DAO, this exploit affects a significant amount of value on the Ethereum blockchain, the Ethereum Foundation’s response July hacks cast doubt on a swift hard fork solution.

Expect more detailed information to come as the situation develops.

What should be done to fix this vulnerability? Share your thoughts in the comments below.

Images via Github

Bitsonline Email Newsletter