Posted on November 17, 2017 at 1:30 PM
Parity Bugs Locks Users Out of $162 Million
After a user accidentally triggered a security flaw, hundreds of users have been locked out of over $162 million worth of ethereum.
Earlier this month, a flaw in the cryptocurrency wallet service developed by Parity Technologies caused the wallet service to lock users out of over $160 million worth of ethereum. Following closer inspection regarding the events, Parity Technologies confirmed that they were aware of the potential dangers involved in the security flaw, three months prior to the flaw being exploited.
After the wallet service was hacked on 20 July, the company updates its code pertaining to their multi-signature wallet function. However, during the update, they failed to notice or address a particular vulnerability, that a user, known as devops199 accidentally exploited.
Since the flaw has been triggered, all multi-signature wallets that were created after 20 July, have been locked. At the time of the lock-out, an estimated $280 million worth of ethereum was inaccessible. Recent investigations stated that the funds could perhaps be lost forever.
Since this estimation, Parity Technologies has confirmed that 587 wallets were affected which collectively held 513,774.16 coins, the equivalent of $162 million. Ethereum is a cryptocurrency which functions using blockchains technology and has been specially designed for smart contracts. Multi-signature wallets have become increasingly popular amongst cryptocurrency users, as the wallet requires several approvals before cryptocurrency can be moved from the wallet.
Parity Technologies confirmed earlier this week, that the flaw had been brought to their attention in August, earlier this year, by a coder known as 3esmit. According to Parity, the coder warned them that once a user opens WalletLibrary, that it is opened in the contract. To rectify this, the coder suggested that the firm change to name to initWallet, to discourage users from using it. Parity admitted that they deemed the move merely as making the app more convenient.
In addition, Parity stated that while the enhancement was scheduled for a future update, the flaw was exploited before Parity could release a new update.
Parity added that the wallet could have avoided the flaw being exploited provided that the code did not allow an additional kill functionality once a user had claimed ownership of the wallet. A trap which devops199 stepped into when they tried to take control of a wallet, earlier this year. Reddit’s avid cryptocurrency and ethereum community expressed outrage at this oversight on the part of Parity.
Currently, all affected users’ funds are frozen. Parity has emphasized that they are working hard to find a solution.
The company confirmed that they did notify all affected users. In addition, Parity acknowledged the widespread distress that their oversight has caused, in addition to doubts cast about the firm’s capabilities. The company concluded by stating that they are working to find a viable solution.