Parity wallet revealed a critical security issue this week regarding a vulnerability in the Parity Wallet. Earlier today, the Parity team posted an update regarding the hack:
We very much regret that yesterday’s incident has caused a great deal of stress and confusion amongst our users and the community as a whole, especially with all the speculation surrounding the issue. We continue to investigate the situation and are exploring all possible implications and solutions. Blockchain and related technologies are a vanguard area of computer science. Our mission remains to build software to power the decentralised web.
If you are concerned about whether your wallet has been affected please visit this website that we created to provide a list of affected accounts. We are in touch with users affected by the issue – in case you are affected and want to reach out, please contact us under community@parity.io.
Following the fix for the original multi-sig vulnerability that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. Unfortunately, that code contained another vulnerability which was undiscovered at the time – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It is our current understanding that this vulnerability was triggered accidentally on 6th Nov 2017 02:33:47 PM +UTC and subsequently a user deleted the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable and funds frozen since their logic (any state-modifying function) was inside the library.
The MuliSig Freeze now stands at 584 affected wallets or 573 affected owners. Polkadot, an account that was reported as possibly affected, announced it had not been impacted and was moving forward as planned with their original timetable.
On November 6th, an unknown individual wiped out the library code upon which Parity multi-sig wallets operated causing wallets deployed after July 20th 2017 to be frozen. Parity is described as the “fastest and most secure way of interacting with the Ethereum blockchain.”