Parity have concluded their report into the bug which enabled an ethereum hobbyist to break their multi-sig wallet. The incident permanently locked up over half a million ether “as well as additional tokens”, worth at least $168 million in current prices. As a consequence, Parity have temporarily disabled multi-sig functionality.

Also read: Ethereum Wallet Parity Hit by Second Critical Vulnerability – $150+ Million Frozen

Picking Through the Pieces

In a detailed blogpost identifying the events leading up to the incident, the Parity team outline exactly what happened and why. The fatal incident occurred on November 6 when user devops199 made themselves the owner of the wallet’s library contract and then destroyed this component, which Parity’s multi-sig wallets were dependant on. As a consequence, 587 wallets containing 513,744 ether plus tokens were permanently locked up.

The Parity team have now completed a full audit of the smart contract code governing their wallet and have identified no further vulnerabilities. In “A Postmortem on the Parity Multi-Sig Library Self-Destruct”, Parity express remorse for those affected, but in their defense note that the code was created and audited by the Ethereum Foundation’s dev team and had “underwent extensive peer review”. They then go on to ponder what could have been done to prevent the incident, stating:

If the contract code had not included the functionality to suicide or kill, even if someone had taken ownership, they would not have been able to do anything. The kill functionality was a remainder of the original audited contract.

I Accidentally Killed It

Shortly after nuking the contents of the multi-sig wallets, the now infamous devops199 confessed “I accidentally killed it” and thus a meme was born. In response to the question “What is Parity Technologies doing to unfreeze the affected funds?”, the team are vague, stating only that “we are working hard on several Ethereum improvement proposals(EIPs)…that have the potential to unblock funds. These improvement proposals will also address general cases of blocked funds.”

Once is a Misfortune, Twice is Carelessness

Embarrassingly, Parity have declared they’re temporarily disabling their own multi-sig wallets, though they will “will continue to support Gnosis, WHG or other multi-sig wallets that are deemed secure”. The remainder of the blogpost details the measures that the London and Berlin-based team are taking to beef up their security including external audits of “all existing sensitive code including secret management, key generation and password management, signing and auto-updating”.

Having suffered two major security breaches this year, causing over $200 million of ether to be locked or stolen, Parity can’t afford to slip up again.

Do you think Parity’s code can be trusted in future? Let us know in the comments section below.

Images courtesy of Shutterstock, and Parity.

Bitcoin.com’s own store features a wide range of interesting Bitcoin-related products. Looking for a hardware wallet? We got ‘em. Want a good-looking t-shirt? It’s there. Want to gift a nice Bitcoin tea cup? Go shopping.

Tags in this story

ether, Ethereum, frozen, Hack, Hacker, library contract, Multi-sig, Parity, parity wallet, Wallet

Related

Quadrigacx Cold Wallet Was Stored in a Safety Deposit Box

SECURITY | Feb 20, 2019

In a 2014 appearance on the True Bromance Podcast, Gerry Cotten, the late CEO of embattled Canadian cryptocurrency exchange Quadrigacx,… read more.

Indian Government Inaugurates National Crypto Forensic Lab

SECURITY | Feb 19, 2019

The government of India has inaugurated a national cyber forensics lab which includes a cryptocurrency forensic lab to perform crypto-related… read more.

Kai Sedgwick

Kai's been playing with words for a living since 2009 and bought his first bitcoin at $19. It's long gone. He's previously written white papers for blockchain startups and is especially interested in P2P exchanges and DNMs.