The Daily Swig Web security digest

Lost in the Ether: Parity still scratching its head over multi-sig issue

James Walker | 13 November 2017 at 16:00

$165 million worth of blockchain assets are still inaccessible.

Parity Technologies is pushing to find a solution to the multi-signature vulnerability that blocked 587 Ethereum wallets holding a total value of around $165 million.

On November 8, a GitHub user provided details of a vulnerability in the Parity Wallet library contract of the standard multi-sig contract, which allowed them to effectively make themselves the contract’s owner.

The user subsequently made the unfortunate move to ‘suicide’ the smart contract underlying the multi-sig wallet, which in turn blocked funds of 587 wallets holding a total of 513,774.16 ether.

While the funds remain in the affected wallets, the wallets themselves are inaccessible, meaning approximately $165 million of funds are locked away.

Providing an update to account holders, Parity founder Jutta Steiner said: “We deeply regret the impact this situation is causing among our users and within the community.

“We do ask that people get in touch with us if they have any uncertainties and to not believe the speculation circulating the media. We are endeavoring to find a solution as soon as possible and we would like to thank everyone for the support we’ve experienced so far.”

Steiner said Parity has been “rigorously examining” the events of the past week, noting that EIP156 – an ether-reclamation solution developed by the cryptocurrency’s co-founder Vitalik Buterin – has drawn support from various members of the Ethereum community.

“The team is working on a broadly accepted solution that will unblock the funds,” she stated. “This is a learning opportunity (albeit a painful one) for our company, for our collaborators and the community that stands with us.

“Moving forward we will further improve our process related to the development of mission critical code and work together with the community to make core infrastructure more secure.”

The multi-sig vulnerability is the second suffered by Parity in the last four months. A July theft of more than 150,000 ether valued then at around $32 million caused by another flaw was allegedly resolved with a hard fork on July 19.

Steiner said the Parity team will continue to analyze the events and will issue a detailed postmortem over the next few days. In the meantime, account holders can check to see if they have been affected by the multi-sig account freeze here.