$300 mn worth of cryptocurrency lost due to bug

09 Nov 2017

Over $300 million worth of cryptocurrency has been lost following a series of bugs in a popular digital wallet service, which led one curious developer to accidentally take control of and then lock up the funds, according to reports.

Unlike most cryptocurrency hacks, however, the money was not deliberately destroyed, rather it was accidentally destroyed.

The destroyed currency was in the form of Ether, the tradable currency that powers the Ethereum distributed app platform. It was kept in digital multi-signature wallets built by a developer called Parity, which require more than one user to enter their key before the transfer of funds.

The company revealed on Tuesday that while fixing a bug that allowed hackers to steal $32 million out of a few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.

The user, ''devops199'', apparently accidentally triggered the flaw and when they realised what they had done, they attempted to undo the damage by deleting the code that had transferred ownership of the funds. This however, did not return the funds but locked them in the multisignature wallets permanently, with no way to access them.

''This means that currently no funds can be moved out of the multi-sig wallets,'' Parity says in a security advisory.

According to experts Parity's technology is seriously flawed and in July a hacker managed to exploit errors in the multi-signature code to steal about $30 million in Ethereum.

To address the issue Parity updated its wallet software and rolled out a new version. However, that update also contained a bug which was triggered by devops199 on Monday, affecting anyone who had installed the new code since its release.

"That code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function," Parity's advisory stated.

"It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided [sic] the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library."