Parity Multisig Bug Shows Non-Owners of Smart Contracts Can Execute Kill Function

The Ethereum community received a nasty surprise when the latest Parity multisignature hack was exposed. Someone successfully froze millions of dollars worth of Ether with a smart contract exploit. So far, this matter has not been resolved, and there is evidence of this having been a malicious attack first and foremost. It’s an interesting train of thought advanced by the ARToken team.

Parity Multisignature bug may not have been Accidental

There has been a lot of interesting information circulated regarding the recent Parity multisignature exploit. The bottom line is that over half a million Ether has been frozen in smart contracts which have yet to be unlocked. Although Parity itself claims this bug was accidental, it seems there is a very different story that deserves attention as well. The ARToken team reached out to us to explain their findings. More specifically, they seem to think this bug was an orchestrated attack on the wallets in question.

The team recently published a blog post explaining how they were affected by the Parity smart contract bug. With their crowdsale wallet having been affected, around US$1 million remains frozen for the time being. For now, there is no indication as to when this situation will be resolved or what the consequences may be. It is evident that causes major concern for all affected entities.

In total, over 151 wallets containing 513,743 ETH have been frozen in connection with the Parity bug, with the Polkadot ICO possibly being hit the hardest. It is a major blow to the ICO industry and highlights how Ethereum smart contracts are not safe from harm by any means. While some may claim this bug to have been an accident, there seems to be evidence pointing in a very different direction. It seems someone was carefully manipulating a few of the affected smart contracts a few days prior to the attack.

More specifically, the user devops199 called the Execute function of the ARToken smart contract on November 6th. A few minutes prior, the same user had attempted to execute the same function for the Polkadot smart contract. That alone is pretty suspicious. Moreover, the same individual tried to call the changeOwner and kill functions for both smart contracts as well. It is evident this was not done by accident, but was a deliberate attempt to successfully lock companies out of the funds they’d raised.

Why this particular individual would go to such great lengths to freeze funds remains a big mystery. It would make a lot more sense for hackers to steal funds and run off with them. After all, there is no point in freezing ICO funds other than to screw over the affected companies. It is possible devops199 planned to freeze the contracts and steal the funds afterward, though how that would be done is a mystery.

It is certainly true this exploit has gotten a lot of attention on GitHub as of late. If anyone – even non-owners – can kill smart contracts, that is a very big problem, to say the very least. Rest assured this is not the last we will hear about this Parity mishap. For now, the main focus is on the difficult tasks of resolving the problem and returning the funds to their rightful owners. We can only hope this issue gets resolved sooner rather than later.