More than $230 million in cryptocurrency has been potentially lost forever after a user “accidentally” took control of the funds and deleted them when trying to return them.
The vulnerability was discovered in the code that supports Parity’s multi-signature wallet used to store Ether, a cryptocurrency operating on the Ethereum blockchain. Ether is the second most prominent cryptocurrency behind Bitcoin.
In a “postmortem” posted this week, Parity said that an anonymous user took control of 587 wallets holding more than 510,000 Ether (about $230 million) on 6 November by exploiting a vulnerability in the library smart contract code supporting the digital wallets.
“The user decided to exploit this vulnerability and made himself the ‘owner’ of the library contract. Subsequently, the user destructed this component,” Parity said in the post.
The user deleted the library contract code, effectively freezing the wallets and locking the funds stored in them, with no way to restore access.
“While the funds remain in the affected wallets, the wallets themselves are inaccessible,” the company said.
It’s the second time Parity’s wallets have been hacked, with about $US30 million stolen in July.
Parity acknowledged that the flaw has caused “distress and anxiety” for a number of people, and said it is currently “working hard to explore all feasible solutions”.
Parity is maintaining that the funds have not been “lost” but are instead currently “frozen”. It appears the only possible way to unfreeze these funds is to initiate a ‘hard fork’ of Ethereum, which would effectively go back in time to before the error occurred, and then go from there. This would require the support of the majority of users to take place.
“Parity Technologies will handle much of the development work around these proposals and work constructively with the Ethereum Foundation team and the community towards further protocol layer development,” the company said.
“We are committed to the continued development of Ethereum.”
It is similar to an incident two years again when Ethereum app DOA was hacked and $US150 million in funds were stolen. That time, a ‘hard fork’ was successfully completed and the funds were effectively returned to the users.
Parity has launched a website for users to check whether they were impacted by the accidental hack, and what to do if they were.
“We deeply regret the impact this situation is causing among our users and within the community,” Parity Technologies founder Jutta Steiner said in a statement.
“We do ask that people get in touch with us if they have any uncertainties and to not believe the speculation circulating in the media. We are endeavouring to find a solution as soon as possible and we would like to thank everyone for the support we’ve experienced so far.”
The accidental hack impacted any users that created a Parity Wallet since July. It was initially estimated that nearly $US300 million in Ether had been lost, but the company now claims this is closer to $US160 million.
The incident has impacted a number of startups undertaking an Initial Coin Offering, a style of crowdfunding using cryptocurrencies.
One of those impacted is Cappasity, which in a blog post said it had been using a Parity wallet for its crowdsale, and has lost about $US1 million in funds.
Interoperability platform Polkadot also posted that it had a significant amount raised during its recent ICO locked up due to the Parity hack.