The story of the frozen (speculative) number of $300 million in ETH loss due to human error only gets more interesting as Cappasity Inc states something doesn’t seem right in the whole ordeal.
As we have previously stated, last week, popular cryptocurrency wallet ParityTech confirmed that nearly $300m worth of Ethereum was accidentally frozen due to a bug. However, it now appears that the incident may have been caused by a hack instead of a vulnerability.
Cappasity is saying that things don’t add up in regards to the bug, the human error by “devops199” and the accidental exploitation of the bug in the Parity Wallet Library contract. Cappasity believes that there might have been malicious intent.
The story of devops “I accidentally killed it” and the conversion of the library contract into regular multi-sig wallet, seizing ownership, and then deleting the code which contained “library contract code” which was connected to many parity multi-sig wallets) that froze significant funds, seems to not add up for a variety of reasons.
Parity has faced issues with vulnerabilities in the past where one user was able to find a bug and exploit to seize more than 30million ETH. The situation was salvaged whitehats came to the rescue and drained the affected accounts which and return funds.
Accident or Not?
Cappasity, one of the companies who were affected by the loss, and is currently undertaking an ICO, delved further into the matter and have resurfaced with some interesting results.
They state that the actions of devops199 are not accidental, but “fraudulent and deliberate”.
The CEO of Cappasity, Kosta Popov, noted that “the Cappasity platform and the content stored there are secure, the functionality of the platform is unaffected and everything functions as usual. The detected vulnerability in no way affected the BTC wallet of our crowdsale, other company’s accounts or our current business activities.” This statement was expressed so that their current and would be investors would not have any concern in placing trust in Cappasity and continue with their investment.
The team over at Cappasity is also expressing that the funds that are locked up, (approx. 3,264 ETH) will be remedied by Parity as soon as possible. Stating, “Unfortunately, the ETH wallet of our crowdsale was using the affected Parity multi-sig contract. The wallet is not accessible now and will remain inaccessible until the situation is resolved.”
Now, let’s dive into the results of the investigation. They gave a play by play of the situation by stating “on November 6 the user going by “devops199” attempted to “call execute (address _to, uint256 _value, bytes _data) of ARToken’s smart contract.
Later on that day, he called execute of Polkadot’s smart contract, which now has over $90 million in frozen funds. Then the functions “changeOwner (address_from, address_to) and kill (address_to) were called.”
It seems to the team that this user was outright seeking to find the vulnerability and exploit it, they state “”When you are tracking all their transactions, you realise that they were deliberate… Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking. We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step.”
Read more information here.
We’ll keep you updated as the situation progresses.