Location: https://explorer.decentraland.org/?position=-64%2C-113

Description: One would have hoped that the July 2017 multisig incident would have significantly increased the security of Parity Multisig wallets. A following version of their multsig wallets moved to having a shared library deployed on the blockchain. The goal was to reduce the cost of deploying new multisig wallets since reusable code (say, transfer of funds, or code for wallet initialization) did not have to be included in the blockchain for each wallet. In fact, that code was code reviewed and audit occurred; albeit in the middle of a large commit which also included front-end changes; however the issue was not so much in the code itself, as the deployment steps: no one from Parity ever called initWallet on the library contract itself.

On November 6th 2017, A github user named devops199 did just that at block 4,501,736 (see devops199.aetheriablockmuseum.eth). Their motive will never be truly understood. They claimed it was a mistake with their now infamous “I accidentally killed it”, but given that they chose to explicitly call the suicide method at block 4,501,969 indicated that they had a significant understanding of what they were doing. Approximately $280M at the time (about 1% of all ether in circulation) effectively became stuck and untransferable after the suicide call. Since the individual wallets depended on shared library code which didn’t exist anymore, there was nothing to be done.

This one transaction has had, arguably, the second most negative impact on the Ethereum ecosystem (after theDAO transactions which lead to a hard-fork and community split). There were efforts from some in the community to push for changes that would allow recovery of “provably lost/stuck funds” which could possibly have helped victims of other such accidents. The general idea being that if a private key is stolen and a thief can transfer the funds out, it’s impossible for the owner to prove that they are not, in fact, the thief. However, in the case of “provably lost” funds, it is possible for the owners to prove that they indeed own the funds, but simply cannot access them. However, there was not enough traction in the community for this change to be accepted; so to this day the funds are still visible on the blockchain, but simply cannot be transferred. Ironically, one of the main victims of this hack was the Polkadot multisig wallet owned by the Web3 Foundation, which had also contracted Parity to build Polkadot. Effectively, the lack of an established deployment process at Parity caused one of their key clients to incur a significant loss. After that incident, Parity stopped offering multisig wallet code templates to their client users.

Source: https://github.com/paritytech/parity-ethereum/issues/6995 https://ethereum.stackexchange.com/questions/30128/explanation-of-parity-library-suicide https://etherscan.io/tx/0x47f7cff7a5e671884629c93b368cb18f58a993f4b19c2a53a8662e3f1482f690 https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9