Approximately $280m worth of the cryptocurrency Ethereum has been frozen in time – and potentially lost forever – after an unidentified developer accidentally triggered a critical bug in a shared code library used by digital wallets maintained by Parity Technologies.
Based on a security advisory published Tuesday (7 November), all multi-signature (multi-sig) wallets – used to store the online money – created after 20 July 2017 are now locked. Analysts indicated that a massive 1 million Ether (ETH) is currently inaccessible to users.
"A user exploited an issue and thus removed the library code," Parity Technologies tweeted. "We are analysing the situation and release further details shortly."
The firm continued: "To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative."
Ethereum is a blockchain-based distributed platform specifically tailored for smart contracts.
Multi-sig wallets are used in the cryptocurrency community to require multiple approvals before money can be transferred or moved. Ethereum, like Bitcoin, is solely used on the internet.
"The bug looks like a mistake, not an attack, due to forgetting to initialise the wallet when it was deployed," tweeted hacker and security expert Dan Guido Tuesday.
"No-one using this wallet library can withdraw funds, and all their ether is likely lost," he added.
Multiple screenshots from GitHub, an online code repository, show the culprit was a user with the name "devops19". On one forum, the person claimed the vulnerability was stumbled upon by mistake and was swiftly reported. "Will I get arrested for this?" they wrote.
Cryptocurrency expert Tuur Demeester, editor in chief at Adamant Research, said on Twitter that approximately $90m-worth of the money belonged to Parity founder, Gavin Woods.
Matthieu Suiche, a security and cryptocurrency expert at Comae Technologies, said in a blog post that the bug in question had likely managed to escape an internal Parity code review.
He explained: "Since, by design, smart-contracts themselves can't be patched easily, this makes dependencies on third party libraries very lethal if a mistake happens.
"We have seen a lot of enthusiasm from a lot of people about blockchain-based smart contracts, and the general assumption from users is that they would be secure. But just like any other piece of software a smart-contract can be vulnerable."
He added: "All the recent security issues around smart contracts are challenging [...] the sustainability of storing money on a blockchain-based software layer."
For now, a widespread investigation appears to be ongoing.
Speaking to CoinDesk, a website dedicated to digital currency, the security chief at the Ethereum Foundation, Martin Holst Swende, has said that a "hard fork" [an emergency update] of the entire ETH blockchain may be the only solution to releasing the frozen funds to users.
"There's unfortunately no way to recreate the code without a hard fork," Swende said. "Any solution which makes the locked funds accessible requires a hard fork."
And on Wednesday (8 November), Vitalik Buterin, the co-founder of Ethereum, tweeted that he was "deliberately refraining" from commenting on the ongoing Parity wallet issues.
Buterin wrote that he wanted to "express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones."
In July 2017, it emerged that a hacker had compromised more than $30m (£23m) worth of the Ethereum currency by exploiting a separate issue in a number of Parity-maintained wallets.