29.03.2024

Parity Disable Multi-Sig in the Wake of Bug That Nuked $168 Million Ether

The incident permanently locked up over half a million ether “as well as additional tokens”, worth at least $168 million in current prices. As a consequence, Parity have temporarily disabled multi-sig functionality. Parity have concluded their report into the bug which enabled an ethereum hobbyist to break their multi-sig wallet.

Picking Through the Pieces

In a detailed blogpost identifying the events leading up to the incident, the Parity team outline exactly what happened and why. The fatal incident occurred on November 6 when user devops199 made themselves the owner of the wallet’s library contract and then destroyed this component, which Parity’s multi-sig wallets were dependant on. As a consequence, 587 wallets containing 513,744 ether plus tokens were permanently locked up.

The Parity team have now completed a full audit of the smart contract code governing their wallet and have identified no further vulnerabilities. In “A Postmortem on the Parity Multi-Sig Library Self-Destruct”, Parity express remorse for those affected, but in their defense note that the code was created and audited by the Ethereum Foundation’s dev team and had “underwent extensive peer review”.

They then go on to ponder what could have been done to prevent the incident, stating:

If the contract code had not included the functionality to suicide or kill, even if someone had taken ownership, they would not have been able to do anything. The kill functionality was a remainder of the original audited contract.

I Accidentally Killed It

Shortly after nuking the contents of the multi-sig wallets, the now infamous devops199 confessed “I accidentally killed it” and thus a meme was born. In response to the question “What is Parity Technologies doing to unfreeze the affected funds?”, the team are vague, stating only that “we are working hard on several Ethereum improvement proposals(EIPs)…that have the potential to unblock funds. These improvement proposals will also address general cases of blocked funds.”

Once is a Misfortune, Twice is Carelessness

Embarrassingly, Parity have declared they’re temporarily disabling their own multi-sig wallets, though they will “will continue to support Gnosis, WHG or other multi-sig wallets that are deemed secure”. The remainder of the blogpost details the measures that the London and Berlin-based team are taking to beef up their security including external audits of “all existing sensitive code including secret management, key generation and password management, signing and auto-updating”.

Having suffered two major security breaches this year, causing over $200 million of ether to be locked or stolen, Parity can’t afford to slip up again.

Leave a Reply

Your email address will not be published. Required fields are marked *