Parity Tech Wallets Frozen, Throwing ICO Companies Into Chaosbr>
A vulnerability found in a Parity Technologies wallet has resulted in hundreds of millions of dollars in ether being frozen. The move could destroy any number of startups relying on ETH raised from initial coin offerings to fund ongoing development and operations.
The setback is the second major issue for Parity, founded by ethereum cofounder Gavin Wood. The company suffered a hacking incident during the summer that resulted in more than $30 million in ETH being stolen.
Parity disclosed an issue in a blog post, admitting that the flaw that could enable the contents of a wallet to be wiped. The issue affects so-called multi-sig wallets that uses multiple party consents as an additional security measure. Any ICOs held since that date may be impacted. That could total as much as $150 million, according to one analyst’s report.
However, the true total will likely not be known for some time. Meanwhile, companies that stored the funds in the frozen wallets cannot draw on those reserves. How long those wallets will be frozen has not been revealed.
The ongoing problems at Parity sent ethereum down more than three percent to $292 today. The July theft of more than 150,000 ETH was allegedly resolved on July 19, or one day before the current vulnerability issue.
Partity claimed it discovered the problem when one user’s wallet was wiped. It has so far not indicated that any other wallets were affected, but the risks to other ethereum holders using the multi-sig wallet are enormous.
“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
Leigh-Anne Galloway, cyber resilence lead at Positive.com, blamed coding problems for the issue.
“One of the biggest cybersecurity challenges with smart contracts is that they’re made up of code, just like any other application,” said Galloway. “This is prone to human error. It’s also quite hard to make changes to the contract once it goes live, which is why we’ve seen that the funds have been frozen with Parity. This scenario is evidence that it’s extremely important to review the code before a contract goes live to avoid these vulnerabilities.”