Parity wallet logo

On Monday, November 6, an unknown user triggered a bug in the source code of the Parity Ethereum wallet that has permanently locked funds inside users' accounts.

Parity developers acknowledged the problem and issued a patch. The bug affected only Parity multi-signature wallets, accounts that require signatures from multiple users before moving funds to new accounts.

Not all multi-sig wallets are affected, but only those created between July 20 and today.

Problem resides in patch for another bug exploited by hackers

In a security alert, Parity app developers said the bug actually resides in a previous patch Parity devs applied on July 20. That patch fixed a security flaw that was exploited by hackers on July 19 to steal over $30 million (worth at the time) from Parity multi-sig wallets.

Because of the way they work, multi-sig wallets are popular with companies, who assign multiple employees to take care of accounts. They are also used in ICOs — initial coin offerings — a type of financial scheme that allows companies to raise money, similar to IPOs (initial public offerings) in the real world. This means that most of the affected wallets are likely to belong to companies or various financial endeavors.

A Pastebin list circulated online today lists 71 of the affected accounts, holding over 930,000 Ethereum, or nearly $285 million in funds. The number of affected wallets and the actual damage could be much larger.

One of the affected accounts belonged to Polkadot, an Ethereum app developed by Gavin Woods, the founder of the Parity wallet and former Ethereum core developer.

Polkadot confirmed the bug affected one of its multi-sig wallets that stored Ethereum worth nearly $90 million.

On GitHub, a user going by the nickname of Devops199 took credit for discovering and accidentally triggering the bug.

Devops199 post

Comae Technologies security researcher Matt Suiche has published an analysis of the recent Parity bug. The bug apparently resided in a library used by Parity's underlying wallet technology.

It is unclear how the Parity team will unlock affected multi-sig wallets. One of the proposed measures is a hard-fork of the entire Ethereum currency in order to apply changes that would unlock affected wallets. While a valid option, a hard-fork is not looked upon with favor by all users, and Parity is still looking for other solutions.