In July, one cryptocurrency company’s coding error helped hackers steal $30 million of the world’s second most valuable digital coin. Now, that company is facing more security problems.
Parity Technologies Ltd., a London-based startup that makes software for so-called crypto wallets, issued a "critical" security alert Tuesday after certain users had funds frozen. The company said in a statement that it fixed the vulnerability that led to the July hack, but failed to catch another weakness that allows users to rewrite code and take ownership of wallets that don’t belong to them. Some users are unable to move funds out of their wallets because important code was deleted. It’s unclear how much ether was locked up and who tampered with the code.
“A code has a library path. Somewhere in that path, someone removed one of the libraries. As a result, the code doesn’t work, and as a result of that, the money is frozen, which can be fixed," said David Mondrus, chief executive of Trive, a blockchain-based research platform. "It does show the difference in performance and safety between hardware and software."
Parity advised users not to deploy multi-signature wallets -- the type impacted by the latest vulnerability -- until the issue has been resolved. Multi-signature wallets are supposed to add an extra layer of security, as they require multiple verifications to confirm a transaction. The company hasn’t yet disclosed how many people have been affected.
"We are still working on the final number and do not want to release any speculative figures," Parity spokeswoman Helena Flack said in an email. "No ether has been stolen."
Among those impacted is the Web3 Foundation, which is working with Parity to build a blockchain network called Polkadot.
"The multi-sig used by the Web3 Foundation to accept contributions for Polkadot was one of those affected, putting the ETH in it beyond access," the firm said in a blog post. "The affected multi-sig wallet does not contain all of the Web3 Foundation’s funds; our ability to build Polkadot as planned and to the original timetable has not been affected."