Parity wallet has announced a critical security alert regarding a vulnerability in the Parity Wallet library contract of the standard multi-sig contracts. Affected users are said to include individuals with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

Parity reports:

Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

All dependent multi-sig wallets that were deployed after 20th July functionally now look as follows:

contract Wallet { function () payable { Deposit(...) } }

This means that currently no funds can be moved out of the multi-sig wallets.

We are analysing the situation and will release an update with further details shortly.

David Mondrus, CEO of Trive made the following comment on the hack;

“While Ethereum is a great language and platform, it’s important to remember that it’s still very early in it’s development and issues like this will arise. Diversification of funds, people, technology and locations is key.”

Apparently all Parity multi-sig wallets have been frozen including the Polkadot ICO and may include many others with one estimate placing the amount at around ETH 500,000 worth approximately $146 million.

Parity has published multiple tweets on the issue:

UPDATE: A user exploited an issue and thus removed the library code, as it seems unaware of the consequences. — Parity Technologies (@ParityTech) November 7, 2017

This froze funds in all Parity multi-sig wallets deployed after 20 July. We are analysing the situation and release further details shortly. — Parity Technologies (@ParityTech) November 7, 2017