Security Alert

Severity: Critical

Product affected: Parity Wallet (multi-sig wallets)

Summary: A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.

Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue — it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWalletfunction. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

All dependent multi-sig wallets that were deployed after 20th July functionally now look as follows:

contract Wallet {  
    function () payable {
        Deposit(...)
    }
}

This means that currently no funds can be moved out of the multi-sig wallets.

We are analysing the situation and will release an update with further details shortly.