Parity-ethereum: anyone can kill your contract

Hmmh, clearly the kill came from registered owner, and required signatures was 0, see initWallet transaction arguments https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9

Will it effect the dependent multisig wallets? When i query " isowner()" the multisig wallets returns TRUE.

Hello. May I ask why you decided that anyone can kill the contract?
You're the owner and you can kill the contract as it supposed to be, so it's expected behaviour, isn't it?

Regards,
Julia.

Hello, first of all i'm not the owner of that contract. I was able to make myself the owner of that contract because its uninitialized.

These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address. I made myself the owner of "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" contract and killed it and now when i query the dependent contracts "isowner()" they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

Hello! We've clashed this problem! Thanks Parity for the great contract again ;)
Any ideas on how can we get our ETH and tokens back from hacked multisig?
I think that we can get ETH back just by killing contract itself but what about tokens?

For those Parity guys who doesn't believe that this exploit works - check out your library which were used by multiple multisigs: https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4#code

It looks like kill will not work on the contract itself if the library was killed. Nice job, Parity

@hlogeon 1. Why kill won't work?

1. Will ether transfer by owners work?

@devops199
Because there is onlymanyowners modifier. Which I think refers library. I didin't check why it's not working but the result of calling kill by 3 owners with the same arguments is just nothing.

"pragma solidity ^0.4.9;" released on 31 Jan

"pragma solidity ^0.4.9;" released on 31 Jan

How does it solves problem?

Please read the details of the issue here: https://paritytech.io/blog/security-alert.html

We are analysing the situation and will release an update with further details shortly.

The library is removed from the registry and all current Parity Wallet versions default to the WHG multi-signature wallets.

Thought I'd post some resources to help people that come across this thread:

In historical order:

1. Original Security Alert
2. Parity Technologies Multi-Sig Wallet Issue Update
3. A Postmortem on the Parity Multi-Sig Library Self-Destruct
4. On Classes of Stuck Ether and Potential Solutions

How come the last 2 links no longer work?

@bernardpeh Our bad, blog engine update ruined some of the links. Thanks for reporting.
I took a liberty to fix the links in the comment — it will do as a stopgap measure, but we'll definitely fix the underlying cause as well.

FYI, the transaction that was submitted here:
https://etherscan.io/tx/0x05f71e1b2cb4f03e547739db15d080fd30c989eda04d37ce6264c5686e0722c9

The transaction Successfully completed here:
https://etherscan.io/tx/0x47f7cff7a5e671884629c93b368cb18f58a993f4b19c2a53a8662e3f1482f690