Ethereum wallet firm was warned about critical bug that left $162m 'frozen in time'
587 wallets holding 513,774.16 coins ($162m) were compromised, Parity said.
In early November, a bug in the digital wallets maintained by Parity Technologies was exploited, leaving more than $160m-worth of the cryptocurrency ethereum lost in time.
Now, after careful analysis of the situation, the company has confirmed it was first made aware about the potential dangers of the vulnerability three months earlier.
On 20 July, after a major hack, Parity released updates to the code in its "multi-signature" wallets.
But it failed to spot a vulnerability that one developer – known as devops199 – later triggered by accident.
Essentially, the incident left all multi-signature wallets created after 20 July completely locked down.
At the time, it was estimated that a massive $280m-worth of ethereum had been lost – maybe forever.
Now, the company has said that 587 wallets holding 513,774.16 coins ($162m) were compromised.
Ethereum is a blockchain-based distributed platform specifically made for smart contracts.
Multi-sig wallets are used because they require multiple approvals before any money can be transferred or moved between users. Ethereum, like bitcoin, is only used online.
Parity said in a technical update on Wednesday (15 November) that it was first warned about the potential exploit back in August by a coder using the name "3esmit".
"When you deploy WalletLibrary, the function will be open in that contract," 3esmit wrote. "I recommend you calling initWallet on WalletLibrary [...] just to ensure no one will use it."
Despite the recommendation, Parity said the firm considered the move "a convenience enhancement".
"Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time," Parity said. Unfortunately, the update didn't come in time.
The company claimed the exploit could have been avoided if the "contract code had not included the functionality to suicide or kill, even if someone had taken ownership" of the wallet, which is what happened when devops199 gained control of the wallet at the start of November.
On Reddit, where there is an avid cryptocurrency and Ethereum community, many users expressed disbelief that Parity could have missed the coding error.
"I know it is easy to be smart in hindsight, but these are huge design errors, I can't comprehend how this could pass reviews in the architecture phase," read the top comment on one thread.
Another user added: "The problem is that this library had blatantly non-library-like features in it, such as having an 'owner' variable - it was basically a completely functional wallet in its own right.
"Not only was that bad design practice, that was massively and obviously wrong. The fact that it got deployed and used in that condition shows fundamental problems with the processes used by pretty much everyone involved. This is something that goes beyond just this one specific bug."
At the time of writing, all funds remain frozen. Parity stressed that it is working on a solution.
"We have reached out to affected users," the company assured readers. "We recognise that the issue has, among other things, caused distress and anxiety about the future of projects and funds in our community and we are working hard to explore all feasible solutions."