A series of bugs in the Parity wallet has led to a huge amount of ether being locked up accidentally. Rather than being the result of a malicious hack, the loss of such a large amount of money appears to be the result of a developer mistake in trying to react to flaws in the Parity code.
The flaw was contained in the fix for the multi-sig vulnerability that was exploited by hackers in July, and which lead to the theft of $30 million in ether.
The new Parity wallet contract, deployed on 20th of July, contained another vulnerability in its code, and it is this that set-in motion the set of events that led to the loss. In the words of Parity, the new vulnerability meant that:
“…it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.”
This was the vulnerability was accidentally triggered by a developer, and in an attempt to undo the damage they deleted the code. However, this had the effect of rendering all multi-sig contracts unusable and freezing the funds, since their logic was contained in the library.
So, the result seems to be that hundreds of millions of dollars’ worth of ether is locked up with no immediate way of accessing it.
The freeze affects all multi-sig wallets created on Parity after 20 July.
In terms of dollar value, that equates to around three times the size of The DOA hack, which at the time represented a much larger portion of the overall Ethereum market than the Parity loss.
Ethereum developers have been quick to point out that the problem occurred due to the smart contract code built on top of Ethereum, rather than being a result of Ethereum itself.
However, the problems seems to highlight a key concern of blockchain technology. Due to the unstoppable nature of blockchain code, which is rightly one of the tech’s main selling points, the bugs can share the same unstoppable quality.
This has been shown in both The DOA and Parity Wallet hacks.
Others are laying the blame solely at the feet of Parity. The fact that this vulnerability was contained in the response to a hack that lost $30 million certainly does not reflect well on the company.
For others, the situation further demonstrates the flaws in the Solidity language that is used to write Ethereum smart contracts. Litecoin creator Charlie Lee told CoinDesk that Solidity is “one of the worst languages to use if you want to write bug-free code”.