It has come to the attention of the Polkadot community that an exploit of Parallel Finance governance has resulted in the execution of a malicious runtime upgrade allowing an attacker to gain unauthorized privileges and begin unstaking and selling funds and minting unauthorized funds. They have already managed to transfer over 312,185 DOT and 126,837 USDT, but are currently waiting for an additional 125,688 DOT to complete the 28-day unstaking period. Polkadot Whitelisted Caller Referendum 1322 aims to use root privileges to rebond the at-risk DOT, and buy an additional 28 days of time for the Parallel Finance community to explore solutions to regain control of the parachain. An address linked to the attacker has responded by submitting Polkadot Root Referendum 1326, which proposes an on-chain remark requesting that sudo privileges do not get returned to the Parallel Finance team, based on allegations that they have been attempting to pull-off a sophisticated rug-pull since April of this year.