A bug in Parity, a popular wallet for the cryptocurrency and decentralized application platform Ethereum, may have resulted in more than $150 million worth of ether being permanently frozen.
The bug affects Parity multi-sig (multi signature) wallets, which require more than one owner to "sign" a transaction before it can go through. An unknown attacker (or a careless developer) has exploited it to effectively destroy a piece of Parity's code, effectively rendering all multi-sig wallets that were created after July 20 completely unusable.
The July 20 date is significant; this is the date when Parity's code was updated to fix a bug that enabled a hacker to steal more than $32 million worth of ether from multi-sig wallets. Unfortunately, the new code contained another bug, which enabled an attacker to turn Parity's library contract — effectively Parity's code — into a multi-sig wallet and destroy it.
"It would seem that issue was triggered accidentally 6th Nov 2017 (...) and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library," wrote Parity in a blog post explaining the incident.
This means that anyone who held Ethereum in a multi-sig wallet created after July 20 can't do anything with it — it's impossible to transfer or spend it. It's unclear how many wallets are affected, but unofficial estimates say the number is at least 500,000 ether, which was roughly worth $154 million at the time the hack was discovered.
— Paddy [blockchain] (@paddyucl) November 7, 2017
There is some hope, though: Developers still might be able to figure out a way to fix this issue, and even if that fails, an Ethereum hard fork could be used to unfreeze the assets. An Ethereum hard fork was used to retrieve stolen funds after the DAO hack in 2016; at this point there's no indication that Ethereum's leadership plans anything of the sorts to undo the Parity bug damage.
Parity has been founded by Gavin Wood, who is also the founder of an upcoming blockchain project Polkadot, which recently raised 485,331 ETH, or roughly $145 million, in an ICO. On Tuesday, Polkadot announced its wallet has been affected by this issue, meaning a part of its funds are frozen.
Update: To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative.
— Parity Technologies (@ParityTech) November 7, 2017
While this issue won't directly affect the vast majority of ether holders (most users typically don't have the need for multi-sig wallets), it's worth noting that Gavin Wood is also the co-founder of Ethereum. According to his personal web page, he wrote the first functional implementation of Ethereum and invented the Solidity language which powers Ethereum smart contracts. And while Wood isn't currently a part of Ethereum's development team, the fact that his current project suffered two major security issues in a matter of months casts a shadow on the security of Ethereum itself.
The price of Ethereum dropped from roughly $305 to $290 after the news broke, but has since recovered to $300.