“However that code still contained another issue—it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
“The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized,” Suiche wrote. “Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts.”
In a report published on CoinDesk.com, Ethereum Foundation head of security Martin Holst Swende said that the funds can only be accessible following a hard fork of the ethereum blockchain via an emergency update.
Parity Technologies operates independently of the Ethereum Foundation.
The July 19 bug was devastating as well. About $30 million in ether was stolen from a Parity wallet after attackers exploited a vulnerability in the software. Parity said three wallet addresses had been compromised and advised users to immediately move assets in the affected wallet to a secure address.
That’s not the case this time around since no funds can be moved out of the wallets.
“We are analyzing the situation and will release an update with further details shortly,” Parity said yesterday.