$280 million dollars' worth of Ether (ETH) locked away in Ethereums smart-contracts.
Parity has officially released a statement titled, "A Postmortem on the Parity Multi-Sig Library Self-Destruct" system problem. It reads, "On Monday, November 6th, 2017 02:33:47 PM UTC, a vulnerability in the 'library' smart contract code, deployed a shared component of all Parity multi-sig wallets deployed after July 20th, 2017, was found by an anonymous user." Now if you never studied software engineering before, let me point out this is a perfectly common practice. The phrase like, "don't re-invent the wheel" applies when developing software just as it does everywhere else. The classic example I would give is a calendar system.
Once someone has written the software code that creates 12 months' scripture, with the correct number of days in each month and accounts for leap years and all of that sort of stuff. What's the point in someone completely re-writing that from scratch? There isn't any point is there. So when I say write an address book app, I can just import that library of code and get the calendar functionality in an instant. Now that practice is perfectly common. However, the downside is if there is a flaw in that shared component, you've got a problem much wider than that single piece of code because everyone is sharing it.
The second thing to point out is that this "self-destruct function" that someone used to destroy the withdrawal code in the Ethereum smart contract, that's also a perfectly legitimate feature. The self-destruct is used when you want to retire an old version of a smart contract. Ether Delta has don’t this periodically when upgrading their systems. It's why they remind users to transfer their Ether out of their old smart contract into a new one. When the Ether Delta exchange upgrades itself, you don't want to be trading in the old smart contracts. Back to Parity, I mentioned this in the last article I wrote but I'll say it again just to be clear.
This problem specifically affects multi-signature wallets created with Parity. It is unlikely, even highly unlikely that the average user will have any funds in any these 587 affected wallets. These wallets are more likely belonging to ICOs and Ethereum based applications. In fact, I believe Iconomi have some of their Ether locked in some of these multi-signature Parity wallets.
Anyway, some random dude came along and managed themselves the owner of one of these shared library components that 587 multi-signature wallets depend on for some of their functionality, then this guy was able to run the self-destruct on the shared library and thereby cause all 587 multi-signature wallets that were using that code to be affected. It says in the Parity article, "this action blocked funds in 587 wallets holding a total amount of 513,774.16 Ether as well as additional tokens."
This money is stuck because the code that would allow you to withdraw the Ether from these multi-sig smart contracts have been deleted by this self-destruct function. Moving on from there, there reads a heading, "Was The Wallets Library Audited?" It does say the original foundation for multi-signature wallets was created and audited by the Ethereum foundation's development team and also by Parity Technologies and others in the community. Many users rely on it and it underwent extensive peer review. This body of code continues to have no known security issues.
That's talking about the original multi-signature wallet that was developed by peer review within the Ethereum community including the Ethereum foundation developers. That's not affected and still secure as far as we know. It then reads it was re-structured by the Parity team into a light-weight stub smart contract which is deployed to the network every time a wallet is created together with a much heavier library which was deployed only once.
While there was no formal audit of this additional deployment Parity made, the contract had received many reviews internally and externally in the context of analysis of the July that was previously exploited on July 19th, 2017. That's what I mentioned in the previous article as well, the most recent bug was the result of a previous fix, which was another security flaw found by somebody else. So this is a bug from a solution that was meant to fix another bug.
That's sort of a chain of problems. It's clear from the released statement that this bug crept in when Parity made their modifications and they tactfully disclose that in the statement. But, why didn't anyone spot this you might ask. Someone did. In August a GitHub contributor called "3esmit" recommended a code change that initialized wallet should be called when deployed at the time was considered a convenience or an enhancement. So this person was recommended to run this initialized wallet function when the smart contract was developed. They say, "thus we committed this proposed enhancement at a future date in time."
This is important, they specifically say they interpreted this as an enhancement which is why they saw no rush to deploy it. However, someone else was able to initialize the contract themselves, make themselves the owner and then run the self-destruct on the contract. So that's why that was able to happen.
What is Parity Technologies Doing to Unfreeze The Affected Funds?
They say we deeply regret the situation and are working hard on several Ethereum improvement proposals or EIPs.
There is no timeline when such an improvement or proposal could be implemented. In terms of a remedy, they have put forward some of these changes in the Ethereum protocol that could potentially allow the funds to be unblocked, however, as they say, this is not a quick process as it allows consensus from the community that a change to the Ethereum protocol should happen. So basically until further notice, that 513 thousand Ether is stuck potentially forever. CoinJolt.com eliminates the problem of wallet breaches and hacks by storing the majority of our assets in secure offline storage.
August 12, 2018
August 10, 2018
August 09, 2018
August 09, 2018
August 09, 2018
August 09, 2018