Ethereum is in the news again as a security bug in the popular Parity wallet service is making it impossible to transfer funds out of certain Parity wallets. The bug was accidentally triggered by an individual who claims to be new to Ethereum.
Only multi-signature wallets created with a digital contract are affected. These wallets were created after July 20 to prevent theft, they were supposed to be super secure but it appears a bug in the coding left all these accounts vulnerable. It's estimated that about one million ether is affected by the freeze, at press time that's worth close to $300 million.
Interestingly, almost a third of these funds are the property of Parity founder and former Ethereum core developer Gavin Woods' Initial Coin Offering (ICO) Polkadot.
By calling a function from within Parity's wallet library, a wallet owner could turn a normal single-owner wallet created with Parity's wallet contract library code into a multi-signature wallet and take over ownership of it. That bug in the code would allow someone to kill contracts between any created with the most recent Parity code library—and that is exactly what happened. Someone managed to invoke the code as part of a wallet and made themselves part of every multi-signature contract created since the bug was introduced into the code. The user then "suicided" the wallet and, in the process, disabled all the multi-signature contracts that had been created since July 20 by making them "suicide" as well.
Full details at ARS Technica. Parity is investigating the issue and looking at how it can fix the problem. Definitely another dent in the reputation of cryptocurrency platforms. Some users are calling for a hard fork to fix the issue, but Ethereum co-founder Vitalik Buterin comments the real issue here are the wallet systems:
I am deliberately refraining from comment on wallet issues, except to express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones.