The bug resulted in users permanently losing access to millions in funds, as Github user “devops199” revealed he inadvertently exploited a bug in the Parity Wallet library contract. Cappasity recently pointed out that something doesn’t add up, and the bug might’ve been deliberately exploited.
As CCN recently reported, the Ethereum ecosystem encountered another black swan event this week, as a bug was activated in the multi-signature wallet released by Parity Technologies.
The user revealed what had happened with the words “I accidentally killed it” and a link to a smart contract address on Etherscan. Devops199 had apparently turned the library contract into a regular multi-sig wallet and became its owner. He then attempted to delete the code that gave him ownership, but since the wallet contained library contract code – which all Parity multi-sig wallets rely on – the deletion froze millions in funds stored in Parity multi-sig wallets.
Although developers are still looking into the problem, reports suggest that the only way to recover the frozen funds is through a hard fork to the Ethereum platform. If the platform does go with a hard fork and some users refuse to upgrade to the new software, a chain split can occur. Last year, a hard fork that recovered $50 million from the DAO hack resulted in the creation of Ethereum Classic.
This isn’t the first time a bug in Parity’s multi-sig wallet code led to a loss of funds. Earlier this year, an attacker exploited it to steal more than $30 million worth of ether, and was only stopped as white hat hackers drained affected accounts to then return users their funds.
Was it an accident?
Cappasity, a company in the midst of its Initial Coin Offering (ICO) affected by the incident contacted CCN to let us know about the results of its internal investigation. The company’s investigation led to the conclusion that devops199’s actions weren’t accidental, but “deliberate and fraudulent.”
Through a Medium blog post, the company updated its users on their ongoing ARToken ICO, and on the results of their investigation. In the beginning of the post the company makes it clear its platform is secure, as well as the funds that were unaffected by the situation. Moreover, it clarifies the release of its ARToken wasn’t affected, and that the team is confident Parity Technologies and the Ethereum Foundation will find a way to correct the situation.
Then, it goes on to explain the reasoning behind its investigation’s results. Per the blog post, on November 6 the user going by “devops199” attempted to “call execute (address _to, uint256 _value, bytes _data) of ARToken’s smart contract.”
Later on that day, he called execute of Polkadot’s smart contract, which now has over $90 million in frozen funds. Then the functions “changeOwner (address_from, address_to) and kill (address_to)” were called. It’s the team’s belief that after tracking all transactions, the logical conclusion is that they were deliberate.
To Cappasity, if the situation isn’t resolved quickly, law enforcement agencies should be contacted. CCN contacted Cappasity founder and CEO Kosta Popov to know more about the investigation, and will update the piece as soon as more information is available.