In July, one cryptocurrency company’s coding error helped a hacker to steal $30 million of the world’s second most valuable digital coin. Now, that company is facing more security problems.
Parity Technologies Ltd., a London-based startup that makes software for so-called crypto wallets, issued a "critical" security alert Tuesday after certain users had funds frozen. The company said in a statement that it fixed the vulnerability that led to the July hack, but failed to catch another weakness that allows users to rewrite code and take ownership of wallets that don’t belong to them.
Some users are unable to move funds out of their wallets because important code was deleted, leading to the loss of $300 million accidentally destroyed.
A developer triggered the flaw apparently by accident and when the user realized what they had done, the user attempted to undo the damage by deleting the code which had transferred ownership of the funds. Rather than returning the money, however, that simply locked all the funds in those multisignature wallets permanently, with no way to access them.
“A code has a library path. Somewhere in that path, someone removed one of the libraries. As a result, the code doesn’t work, and as a result of that, the money is frozen, which can be fixed," said David Mondrus, chief executive of Trive, a blockchain-based research platform. "It does show the difference in performance and safety between hardware and software."
Parity advised users not to deploy any further multi-signature wallets until the issue has been resolved. Multi-signature wallets are supposed to add an extra layer of security, as they require multiple verifications to confirm a transaction.