No one using this wallet library can withdraw funds, and all their ether is likely lost.https://twitter.com/ParityTech/status/927857866203127808 …
-
Show this thread
-
The wallet contract was deployed 109 days ago yet initWallet was only called 22 hours ago, triggering the bug. https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4 …
1 reply 12 retweets 13 likesShow this thread -
Dan Guido Retweeted Patrick McCorry ☘️
Reports are pouring in and the total USD dollar amount may be among the largest ever, now at $278mil USD (1mil ETH).https://twitter.com/paddyucl/status/927885515407454209 …
Dan Guido added,
1 reply 17 retweets 29 likesShow this thread -
The bug looks like a mistake, not an attack, due to forgetting to initialize the wallet when it was deployed.
2 replies 2 retweets 10 likesShow this thread -
We recently completed an audit that had precisely this bug. To all smart contract developers: consider initialization very carefully!
1 reply 4 retweets 19 likesShow this thread -
Further, mark initialization methods as onlyOwner. We expect to see attacks that exploit race conditions against these methods in the future
1 reply 1 retweet 9 likesShow this thread -
Parity likely did not think of their wallet as a classic contract. Their code is in a library, and they delegatecall to execute it directly.
3 replies 3 retweets 5 likesShow this thread -
Replying to @dguido
I don't see anywhere the "library" keyword in that code. WalletLibrary is a contract. Wouldn't using library have prevented this incident?
2 replies 0 retweets 0 likes
You can’t have variables as a library, which WalletLibrary needs right now. It would be a strange design choice and make it harder to use.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.