Parity’s Multi-sig Fiasco

Explain Like I’m 5

Imagine you have a vault in the bank that requires multiple keys to open. Each party can access their key by presenting their correct credentials to the bank associate. In this case, someone found out how to claim one of the keys and subsequently threw it away, meaning the vault can not be opened. This key also happens to be needed for any other vault created by that manufacturer. By losing one key, he managed to lock several high value vaults. We still know whose money is inside these vaults, but we just can’t get it out.

Note: There might be some slight technical flaws in this analogy, but it’ll give you a general idea of the problem.

What actually happened

On November 6th, 2017, a developer by the handle devops199 pointed out a flaw in Parity’s, multi-sig wallets when he accidently “wiped out the library code upon which Parity multi-sig wallets’ functionality relied.”

Devops199 was able to make himself the owner of one of the libraries that the wallet relies upon and accidentally killed it. Without access to this library, it’s unclear how affected fund will be recovered. This bug is present in multi-sig wallets created after July 20th, 2017 since they rely upon the affected library.

\

Why do I care?

This is important because the Parity wallet is commonly used by many different projects to custodian funds. While we still don’t know how many projects have been affected, Parity’s own Polkadot was affected by this bug. Account balances for the affected wallet haven’t been wiped out, but they are currently inaccessible.

What’s the current status?

As of 11/7/17 17:30 GMT, there still hasn’t been an official announcement from Parity. They have limited conversation on Github to the Parity team internally. Updates are expected to be announced on twitter.