← Back to archive
Hack·dormant

Parity Multi-Sig Wallet Freeze — November 2017

A user calling himself 'devops199' invoked a library function that turned a critical Parity contract into a self-destructed shell, freezing approximately $300M worth of ETH across 587 wallets — permanently inaccessible.

The Parity Wallet was a popular multi-signature wallet contract for Ethereum developed by Parity Technologies. Multi-sig wallets deployed by users were proxies that delegated their core logic to a single shared library contract at a fixed address.

The library contract's 'initWallet' function — which set the wallet's owners — had no permission check. On 19 July 2017 an attacker exploited this to drain three multi-sig wallets of 153,037 ETH. Parity patched the user-facing wallets but did not redeploy the library contract.

On 6 November 2017 a GitHub user calling themselves 'devops199' invoked the unprotected 'initWallet' on the library directly, becoming its sole owner. They then called 'kill', which triggered the contract's selfdestruct() and removed it from the chain. Every proxy wallet that depended on the library — approximately 587 of them, holding 514,000 ETH — lost its delegated logic and became unable to sign transactions.

Parity and the broader Ethereum community proposed protocol-level recovery (most notably EIP-156 and EIP-867) that would have allowed selective unfreezing of the affected wallets. None reached consensus. The funds remain frozen at the time of writing.

Timeline

  1. First Parity multi-sig hack — 153,037 ETH stolen

    Attacker exploits missing permission check in 'initWallet' to take ownership of three wallets.

  2. 'devops199' becomes owner of Parity library contract

    Anonymous GitHub user calls the still-unprotected 'initWallet' on the shared library.

  3. 'devops199' invokes 'kill' on the library

    selfdestruct() removes the library. All 587 wallets dependent on it lose their delegated logic and freeze.

  4. EIP-867 recovery proposal withdrawn

    After community consensus fails to form around any unfreeze mechanism.

  5. EIP-999 (recover-only-Parity-wallets) fails community vote

    No subsequent recovery effort reaches the implementation stage.

Who was involved

Legal record

Library Contract
0x863DF6BFa4469f3ead0bE8f9F2AAE51c91A907b4
Recovery Proposals Failed
EIP-156, EIP-867, EIP-999

Structural failures identified

Related records