Automatically Detecting the Bug that Froze Parity Wallets

On November 6, a bug in the popular Parity Multi-signature Wallet froze over $200M worths of ether. A user “accidentally” wiped out the Parity WalletLibrary, which resulted in freezing all Parity Wallets created after July 20. This bug was already covered in detail by numerous articles (e.g., here). To sum up, the accident occurred in two steps. First, the user took ownership over the Wallet Library. Next, the user suicided the library and thereby removed its code from the blockchain. All Parity Wallets created after July 20 rely on this library to withdraw funds. Consequently, all of their funds got frozen after the library was wiped out.

This accident shows that despite their relatively small size, smart contracts continue to contain subtle bugs that are difficult to uncover manually. Automated security analysis systems can mitigate this issue by pinpointing such critical vulnerabilities. Securify, a fully automated verifier for Ethereum smart contracts from ETH Zurich, successfully discovers both critical bugs that allowed the user to take ownership over the Wallet Library and freeze all Parity Wallets that rely on it. We describe how Securify discovers the two bugs below.

Bug 1: Unprivileged Variable Assignments

The first bug allowed any user to take ownership over the library. With this transaction, user 0xae7168deb525862f4fee37d987a971b385b96952 invoked the initWallet function and took ownership over Wallet Library. When analyzing the Solidity source code of Wallet Library, Securify reports the following three lines as vulnerable:

Fig. 1: Unprivileged writes to variables in the initMultiowned function of the Wallet Library

The highlighted lines indicate that any user can modify three critical variables, such as the variable m_owners, provided that the variable m_numOwners has not been initialized.

Bug 2: Locked Ether

The second bug is in the source code of the Wallet contract. This contract cannot withdraw funds unless it can invoke the Wallet Library. Securify explicitly checks whether a contract can receive ether without allowing users to withdraw it. It does this using a security pattern called “Locked Money”.

Fig. 2: The Parity Wallet identified as vulnerable to the “Locked Money”

The “Locked Money” security pattern triggers when analyzing the Parity Wallet contract (see Fig. 2), which indicates that the Wallet contract has this vulnerability. To verify this issue, you can check one of the affected wallets. Go to https://securify.ch/, select Address, enter the contract address 0x3bfc20f0b9afcace800d73d2191166ff16540258, and click Verify.

Once again, this highlights the importance of security audits of smart contracts and automated systems that discovering such bugs.

About Securify

Access to the Beta version of Securify is available at: https://securify.ch. We plan to release a new version of Securify, which features even more security patterns (such as the unprivileged writes to variables) in the coming months. In the meantime, you can get in touch with the developers of Securify by sending an email to: contact@securify.ch. To learn more about Securify, you can check out our DevCon3 slides, which feature a nice comparison between different security approaches to automated security analysis. A video of our DevCon3 talk will be available soon as well.

Also, check out ChainSecurity, a blockchain security company founded by the creators of Securify.