Today is not a good news day for Ethereum. A vulnerability found within a popular wallet has frozen potentially hundreds of millions of dollars of the crypto currency in a second setback in recent months.
Parity Technologies, the company behind widely used wallet service Parity, today disclosed an issue that could enable the contents of a wallet to be wiped.
The issue affects multi-sig wallets — a technology that uses the consent of multiple parties for additional security on transactions — that were deployed after July 20. In other words, ICOs that were held since then may be impacted.
It’s a kicker because it is the second time in just a few months that a major Parity bug has been unearthed with potentially costly repercussions for Ethereum, which is the world’s second highest-valued crypto currency with a total market cap of over $27 billion. Back in July, a vulnerability in Parity led to 150,000 ETH (then worth around $30 million) being stolen.
That bug was fixed July 19 — hence the significance of the July 20 date — but one positive element of that first scare is that many in the Ethereum community, and particularly those who have held ICOs, backed away from the technology in favor of alternatives. Even those who did use Parity may not have opted for the multi-sig wallet.
But still it is a major security issue with wider implications. Parity explained that it found the problem when one user’s wallet was wiped:
Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
The issue appears to center around the fact that the Parity Wallet operates as a smart contract.
Parity likely did not think of their wallet as a classic contract. Their code is in a library, and they delegatecall to execute it directly.
— Dan Guido (@dguido) November 7, 2017
There are no immediate reports of lost or stolen coins, but already it is clear that a sizable amount of Ethereum is at risk.
Early estimates from UCL cryptocurrency researcher Patrick McCorry suggest that at least 600,000 ETH (worth around $150 million) is frozen. McCorry told TechCrunch said the total is likely to be higher still as more information about Parity usage and wallet volumes comes to light.
One high-profile company impacted is Polkadot, a project to link private-public blockchains that raised over $140 million in a token sale and was started by Parity co-founder Gavin Wood. Polkadot confirmed its wallets have been frozen and TechCrunch understands that 60 percent of its ICO raise is potentially affected.
Parity continues to look into the problem. The company said on Twitter that it believes that wallets are locked. It added that projections for the amount of ETH impacted were “speculative”.
Update: To the best of our knowledge the funds are frozen & can’t be moved anywhere. The total ETH circulating social media is speculative.
— Parity Technologies (@ParityTech) November 7, 2017
The price of Ethereum dropped on news of the vulnerability, falling from $305 to $291 to reach its lowest value for two weeks. What happens next on that scale may depend on how severe the vulnerability is, and what total portion of ETH is affected.