Alert! Parity multi-sig wallet discovered another vulnerability

Parity wallet, the multi-signature wallet which is considered to be the most secure way of interacting with the Ethereum blockchain seems to have discovered another vulnerability on November 6th, 2017.

The official twitter account tweeted early today, November 7, 2017

"UPDATE: A user exploited an issue and thus removed the library code, as it seems unaware of the consequences.

This froze funds in all Parity multi-sig wallets deployed after 20 July. We are analysing the situation and release further details shortly."

Parity Team has issued a Security Alert for their users mentioning it to be with Critical Severity.

Screen-Shot-2017-11-07-at-11.08.32-AM

History
As we know, on July 18, 2017,attackers exploited a vulnerability in the Parity multi-signature wallet to steal 150K Ethereum (worth $32 million then) from three accounts belonging to cryptocurrency trading platform Swarm City, Edgeless Casino, and the Aeternity project.

A group of White Hat Hacker (WHG) including Parity employess and an unkown user helped to stop any more Ethereum from being stolen via the vulnerability, draining other vulnerable wallets of 377,000 Ethereum, put it into a safe address (https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a) and rescued the contents of the rest of the wallets before they could be stolen as well. On July 19, 2017, The official Parity blog updated that

Multi-sig wallets created in Parity Wallet after 19/07/17 23:14:56 CEST are secure. (Fix in the code is https://github.com/paritytech/parity/pull/6103 and the newly registered code is https://etherscan.io/tx/0x5f0846ccef8946d47f85715b7eea8fb69d3a9b9ef2d2b8abcf83983fb8d94f5f).

Present

According to the blog published on November 7, 2017, a new version of the Parity Wallet library contract was deployed on 20th of July post the original multi-sig issue. However that code still contained another issue - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.
It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

This means that currently no funds can be moved out of the multi-sig wallets.

As per latest tweet,

"To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative."

Team Parity Technologies are working on confirming the exact details and will inform the community as soon as they have them.

Please stay tuned and follow Parity for latest update on the issue.

For more updates, technical blogs and general discussion on Blockchain Technology, please Subscribe and follow us at Twitter, Facebook and Medium. You can also reach us at contact@etherworld.co.

Subscribe to EtherWorld.co