What started off as an innocent issue on GitHub has turned out to be a fiasco of epic proportions.
The Github user devops199 opened an issue #6995 — “anyone can kill your contract”. The user claims that he accidentally killed the contract 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4. (Txn link: here)
The user basically called the initWallet function on the above given contract and then became the owner of the contract himself. Once the user acquired ownership, he killed the contract (a.k.a. suicide). The user could call the initWallet function and become the owner of the contract because it was not initialized and the variable only_uninitialized was not set.
When a new multi-sig wallet (which is technically a contract) is deployed, the code that is present in Parity’s Github is essentially used as a template for the smart contract. The multi-sig wallet that is deployed, calls the contract address mentioned above using the delegateCall function. Since this contract is nuked, the multi-sig wallet have become unusable as all their logic was dependent on the library contract. Essentially, no funds that are residing in the multi-sig wallet can be transferred out.
In essence, all Partiy Mulit-Sig wallets had a single point of failure and that address was in the wallet library solidity code:
constant _walletLibrary = 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4
This issues comes after another the hack that Parity had faced in July 2017.
Update: As per reddit user ItsAConspiracy, the reason for having the multi-sig wallet designed this way (with a single point of failure) was for saving gas cost.
Reactions and developments:
- Users on Gitter have calculated that approximately 500k ETH is frozen in these multi-sig wallets. The approximate cost of this is $150 million USD as of now. (At $300/ETH)
- PolkaDot has admitted that their multi-sig wallet is among those that are frozen.
3. Screenshot of Parity’s twitter handle:
4. Reactions from the Crypto world have been nothing less than stellar:
You can catch some of the action here: https://gitter.im/paritytech/parity
5. The Reddit thread for is here: Link
Update1: Not all of Polkadot’s ICO ether is locked in the multi-sig wallet issue.
Draft White paper: here