Yesterday a github user named “devops199” opened an issue on the Parity wallet Github repository titled, “anyone can kill your contract.” The body tersely states, “I accidentally killed it,” with a link to a proof of concept contract suicide. What happened next might be the largest loss of value on the Ethereum network to date.
Parity Multisig Is More Swiss Cheese than Swiss Bank
This isn’t the first time Parity wallets have lost users millions of dollars. In July, a different exploit allowed a theft of over $31 million in tokens. This most recent vulnerability may be the most egregious, though. The vulnerability exploits a flaw in one of the underlying smart contracts of the multisig wallet, which allows any user to shut down smart contracts based on them by calling the ‘kill()’ and/or ‘destroy()’ functions in affected multisig wallets, causing any smart contracts to “suicide.”
The issue affects any wallets issued after the previous vulnerability “fix” made on July 20. Devops199 seems to have reproduced this issue in many Parity multisig hosted contracts. The running total of permanently locked funds at press time comes in at approximately $153 million (509019 Eth), putting this incident on the same scale as last year’s DAO hack, not including the value of tokens on those wallets.
Resolution Unclear After Lock
At present, the remedy to the issue remains a mystery. Many expect a hard fork away from the frozen chain, while some projects are saying the lock is only temporary. However, whether that means the contract suicides are reversible or not is unclear. While, like the DAO, this exploit affects a significant amount of value on the Ethereum blockchain, the Ethereum Foundation’s response July hacks cast doubt on a swift hard fork solution.
Expect more detailed information to come as the situation develops.
What should be done to fix this vulnerability? Share your thoughts in the comments below.
Images via Github