Parity Technologies has released an update about their investigation into the multi-signature wallet bug that permanently froze hundreds of millions of dollars worth of ether. Unfortunately for wallet owners, the analysis has not yet revealed any turnkey solutions.
Last week, 587 wallets containing a total of 513,774.16 ether — worth $161 million at current exchange rates — were permanently locked following the exploitation of a vulnerability in the library contract that governs Parity’s multi-sig wallets.
Although at least one startup affected by the bug believes the exploit was intentional, the prevailing theory is that an inexperienced developer accidentally triggered the bug, which gave him or her control over the Parity library contract. After gaining ownership of the contract library, he or she panicked and “suicided” the contract, whose logic was referenced in all Parity-based multi-sig wallets. As a result of the exploit, funds in all 587 affected multi-sig wallets are frozen; they cannot be accessed by their owners — or anyone else.
This is the second time this year that a significant Parity vulnerability has been exploited to the detriment of multi-sig wallet users. Several months ago, approximately $32 million worth of funds were stolen after a hacker activated a separate bug in the organization’s multi-sig wallets. But, unlike with the previous hack, the funds affected by this bug are frozen — not stolen — so developers have time to explore potential solutions that will restore funds to wallet owners.
In this latest update, Parity says that its team is “working on a broadly accepted solution that will unblock the funds.” The post floated EIP156, an Ethereum Improvement Proposal intended to help users recover funds rendered “stuck” by several past issues, including residual effects of the hard fork that resulted in the creation of ethereum classic. EIP156 must also be implemented through a hard fork, so many people are afraid that its activation will cause another blockchain split. Consequently, some developers have suggested including it as a component of “Constantinople,” a protocol upgrade tentatively scheduled for 2018 as a follow-up to Byzantium.