Parity Multisig Hacked. Again

Tony Kent
Chain.Cloud company blog
3 min readNov 8, 2017

Yesterday, Parity Multisig Wallet was hacked again:
https://paritytech.io/blog/security-alert.html

“This means that currently no funds can be moved out of the [ANY Parity] multi-sig wallets”

A lot of people/companies/ICOs are using Parity-generated multisig wallets. About $300M is frozen and (probably) lost forever.

Disclaimer: I lost little money (about $1000) but my friends lost about $300K.

Who hacked it?

Some guy with a nickname @devops199 (not a member of the Parity team) and an “empty” github account. His Ethereum address is 0xae7168Deb525862f4FEe37d987A971b385b96952 and he has successfully verified it.

How @devops199 hacked it?

  1. All Parity Multisig wallets use single library at 0x863DF6BFa4469f3ead0bE8f9F2AAE51c91A907b4
  2. Library contract was not initialized properly. That allowed anyone to become its owner and selfdestruct it.
  3. @devops199 “accidentally” called initWallet() method to own the library https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9
  4. @devops199 “accidentally” called kill() method to selfdestruct it https://etherscan.io/tx/0x47f7cff7a5e671884629c93b368cb18f58a993f4b19c2a53a8662e3f1482f690
  5. As a result, ALL Parity multisig wallets became useless. If you had any funds or tokens in the Parity multisig -> they are frozen forever (not yet an official position of Parity or Ethereum team, but mine) and you won’t be able to withdraw anything out of it.

N.B.: There are many other multisig wallets (simple contracts or with DApp frontends) that you can use instead. Just never ever use Parity multisig again.

My position?

1: I came to Parity’s gitter and found that @devops199 was still there…

2: He said that it was “unintentional” and he was “just researching”.

3: I provided a community with this analogy:

“Sorry Ethereum, i just destroyed 1% of your valuation”

I don’t want to blame him.
Neither i want to blame a Parity team (because the bug is made by them). Their money is locked too.

I just can’t believe that this guy called 2 methods “accidentally”. If you walked into the bank that was somehow open, you better call the police.

Conclusion

We should be strong as a community. Democracy is an expensive bitch.

We should first contact the team if we find the vulnerability. Let’s make that a rule!

If someone burns money we should at least investigate that. I just don’t understand why some people from the community supports this kind of behaviour (see screenshots above or go to Parity’s gitter channel). This makes crypto weak.

p.s. I don’t think that hard fork is a solution. I am 100% against the hard fork in this case.

p.p.s. (November 10, 2017 update) Please see this article — https://blog.artoken.io/statement-on-the-parity-multi-sig-wallet-vulnerability-and-the-cappasity-artoken-crowdsale-b3a3fed2d567

Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking. We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step.

Thank you for reading.

p.s. We are currently building the “Microcompany Tokenization Platform” here — https://web.thetta.io

We need your help. Become a part of our team/community (+bounties and +rewards) and deliver great product together with us!

--

--