Another major issue with Parity Wallet within a 4-month stretch, the company informed that on November 6th, 2017 an unidentified person wiped out the library code upon which Parity multi-sig wallets’ functionality relied.
The effect of this action is that Parity multi-sig wallets deployed after July 20th, 2017 have been frozen.
More details are below:
Severity: Critical
Product affected: Parity Wallet (multi-sig wallets)
Summary: A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.
Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.
Following the fix for the original multi-sig issue that had been exploited for $32m worth of ETH on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWalletfunction. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
All dependent multi-sig wallets that were deployed after 20th July functionally now look as follows:
contract Wallet {
function () payable {
Deposit(…)
}
}
This means that currently no funds can be moved out of the multi-sig wallets.
Parity says, “We are analyzing the situation and will release an update with further details shortly.”
