Parity’s official statement on wallet exploit

Another major issue with Parity Wallet within a 4-month stretch, the company informed that on November 6th, 2017 an unidentified person wiped out the library code upon which Parity multi-sig wallets’ functionality relied.

The effect of this action is that Parity multi-sig wallets deployed after July 20th, 2017 have been frozen.

More details are below:

Severity: Critical

Product affected: Parity Wallet (multi-sig wallets)

Summary: A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.

Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

Following the fix for the original multi-sig issue that had been exploited for $32m worth of ETH on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWalletfunction. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

All dependent multi-sig wallets that were deployed after 20th July functionally now look as follows:

contract Wallet {

function () payable {

Deposit(…)

}

}

This means that currently no funds can be moved out of the multi-sig wallets.

Parity says, “We are analyzing the situation and will release an update with further details shortly.”

Related News

Leave Comment