Parity has taken a breather from its “all hands” call that went out last week when a nefarious character under the username of “devops199” destroyed the Parity library that blocked 587 wallets holding 513,774.16 ETH and a few other tokens. The vulnerability that devops199 uncovered allowed this person to make them the owner of the library which was not a good thing. Parity is now in the process of reaching out to all affected users adding they recognize the issue caused some “distress and anxiety” but assured everyone they are working to make certain something like this never happens again.
Parity, in a blog post, has explained how the hack occurred:
“In the aftermath of the attack on July 19th 2017, we fixed and re-deployed the library contract on July 20th 2017.
In August, a Github contributor called “3esmit” recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement. Thus, we committed this proposed enhancement to the library contract that would automatically initialize it by calling initWallet on construction. Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time.
On November 6th 03:25:21 PM +UTC, ‘devops199’ identified the uninitialised owner in the contract deployed in July and chose to initialise it, thereby setting themselves as the owner. Subsequently, devops199 chose to kill the library contract.”
So now the big question is what Parity is going to do to unfreeze all of these impacted accounts?
They are currently working on several possible solutions or “Ethereum improvement proposals(EIPs)” that may unblock the funds but they do not have a timeline as to when this will be accomplished. Not exactly what holders of the estimated $172 million worth of ETH want to hear but it is not like they are saying it is all gone.
Parity says they “remain committed to being at the vanguard of Ethereum technology development and we will work diligently to develop secure and useful technology for the community.”
You may read the entire blog post here.