/ News

$300M Frozen in Parity Multi-Sig Wallets


On Monday, a user named devops199 on GitHub accidentally froze the funds on all Parity multi-sig wallets that were deployed after July 20th due to a previously unknown vulnerability.


Parity has issued a security alert detailing this incident:

...it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It is our current understanding that this vulnerability was triggered accidentally on 6th Nov 2017 02:33:47 PM +UTC and subsequently a user deleted the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable and funds frozen...

This comes after the fact that Parity multi-sig wallets were hacked earlier in July which resulted in $30M worth of Ether being stolen.

Multi-sig wallets require multiple people to sign off on a transaction before it can be sent. The most notable use of them is by organizations that have collected funds from an ICO. It is believed that around $300M worth of Ether has been frozen, and Polkadot is believed to have been hit the hardest (with some speculating that as much as $90M of their funds was frozen):

Parity has launched a site where you can check if your wallet was affected: https://affected.parity.io/

A hard fork would be required to unfreeze the funds in the affected wallets. This most likely will be addressed in the already planned Constantinople hard fork expected to update the Ethereum network in 2018. Users and organizations with affected wallets will have to hold tight until then.