Hundreds of Millions in Digital Currency Remains Frozen

Between $150 million and $300 million in digital currency called ether remains inaccessible today after a user said he “accidentally” triggered a vulnerability that froze the funds in the popular Parity wallet.

Parity Technologies issued an advisory warning users about the flaw in the Parity Wallet library contract affecting users with assets in a standard multi-sig contract deployed after July 20, one day after the original bug in this saga had been patched. Parity said in its advisory:

“However that code still contained another issue—it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

Researcher Matt Suiche of Comae Technologies said in a post that the user in question who goes by the handle devops199 was able to first take over the library and then kill it; the library was used by all multisignature wallets created after July 20.

“The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized,” Suiche wrote. “Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts.”

In a report published on CoinDesk.com, Ethereum Foundation head of security Martin Holst Swende said that the funds can only be accessible following a hard fork of the ethereum blockchain via an emergency update.

Parity Technologies operates independently of the Ethereum Foundation.

The July 19 bug was devastating as well. About $30 million in ether was stolen from a Parity wallet after attackers exploited a vulnerability in the software. Parity said three wallet addresses had been compromised and advised users to immediately move assets in the affected wallet to a secure address.

That’s not the case this time around since no funds can be moved out of the wallets.

“We are analyzing the situation and will release an update with further details shortly,” Parity said yesterday.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News I resist sharenting on social media. Does that mean my son and I are missing out, or is it just safer? | Rhiannon Lucy Cosslett
Serviceteam IT Security News Avoid scoring a cyber security own goal this summer
Serviceteam IT Security News Taking a Shine off Certificates
Serviceteam IT Security News EU privacy regulators query Yahoo CEO on breach
Serviceteam IT Security News Spanish deputy PM urges investigation into Catalan spyware claims
Serviceteam IT Security News NCSC advice for Ticketmaster customers