# parity wallet hack demonstrated that selfdestruct in implementation contracts permanently bricks proxy systems In November 2017, a user called the `initWallet` function on the Parity multisig library contract (the implementation behind all Parity multisig proxies), claimed ownership, then called `kill` which triggered `SELFDESTRUCT`. This destroyed the library contract's bytecode, making it impossible for any proxy to delegatecall to it. Since [[delegatecall executes code from another contract using the callers storage context|delegatecall requires code at the target address]], approximately $280M in funds across all Parity multisig wallets became permanently frozen. The incident demonstrates why [[selfdestruct in implementation contracts can permanently brick proxy systems]] and motivated [[selfdestruct was deprecated in solidity 0.8.18 via eip-6049|the eventual deprecation of selfdestruct]]. --- Relevant Notes: - [[selfdestruct in implementation contracts can permanently brick proxy systems]]: the vulnerability pattern demonstrated - [[selfdestruct was deprecated in solidity 0.8.18 via eip-6049]]: the long-term response - [[uninitialized proxy contracts are vulnerable to re-initialization attacks that hijack ownership]]: the initialization flaw that enabled the initial takeover - [[Solidity functions without an explicit visibility modifier defaulted to public before version 0.5.0 allowing anyone to call intended-internal functions]] -- the language-level mechanism that made initWallet publicly callable; the 2017 code was compiled with a pre-0.5 compiler where omitting a visibility modifier defaulted to public, making the initialization function an open attack surface without any explicit missing-modifier finding Topics: - [[exploit-analyses]]