A few days ago the firm Parity Technologies made the headlines because someone has accidentally triggered a vulnerability in the popular Parity Wallet that locked up $280 million in Ether, including $90 million raised by Parity Technologies’s founder Gavin Woods.
Is it really an incident?
A crypto-currency collector who was locked out of his $1m Ethereum multi-signature wallet has claimed it was “deliberate and fraudulent” act.
Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced the incident that was caused by a severe vulnerability in its “multisignature” wallets created after this July 20. Owners of the affected wallets will be not able to move their funds.
” A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.” reads the announcement.
“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the
initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
The vulnerability was triggered by a regular GitHub user, “devops199,” who allegedly accidentally removed a critical library code from the source code, this operation turned all multi-sig contracts into a regular wallet address with devops199 as its owner.
Devops199 then killed the wallet contract, making all Parity multisignature wallets tied to that contract useless, and locking up their funds.
One of the frozen Ethereum wallets belongs to the startup Cappasity that operates an online marketplace for AR and VR 3D models. The firm had 3,264 ETH in the Parity wallet (roughly $1m at current prices) that it earned from punters buying ARtokens, which can be exchanged for designs when the market launches later this year.
Cappasity believes the incident was not accidentally, someone deliberately triggered the flaw. The experts at the firm analyzed the devops199’s attempts to extract and change ownership of ARToken’s and Polkadot’s smart contracts. According to the firm, the people behind the account were poking around, eventually triggering the catastrophic bug in Parity’s software
“Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate,” said Cappasity’s founder Kosta Popov in a statement this week.
“When you are tracking all their transactions, you realize that they were deliberate… Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking. We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step.”
Parity has yet to issue an update to solve the problem and hasn’t provided further comments to the media.
The incident will surely have an immediate effect on investor confidence in companies operating in this emerging industry.
What happened is unheard and disconcerting.
(Security Affairs – Parity Wallet, hacking)