The Ethereum ecosystem encountered another black swan event this week with the activation of a bug in the multi-signature wallet software released by Parity Technologies. The bug resulted in multi-sig wallet users permanently losing access to an estimated $150 million in funds. Leading some people to compare the significance of the event to the infamous collapse of bitcoin exchange Mt. Gox.
“I accidentally killed it.”
With those words and a link to an ethereum contract address on Etherscan, Github user “devops199” revealed that he or she had inadvertently exploited a bug in the Parity Wallet library contract. Apparently, the user had turned the library contract into an ordinary multi-sig wallet and had become the owner of that wallet.
Recognizing what had happened, the user attempted to delete the code that had transferred the wallet ownership. However, because the wallet contained library contract code — and all Parity multi-sig wallets rely on that code for their internal logic — the deletion of the code permanently froze the approximately $150 million in funds stored in Parity multi-sig wallets.
Developers are currently exploring potential solutions to recover access to the funds, but early reports indicate that the funds would only be recoverable through a hard fork to the Ethereum platform.
“One of the biggest cybersecurity challenges with smart contracts is that they’re made up of code, just like any other application. This is prone to human error,” said Leigh-Anne Galloway, cyber resilience lead at Positive.com, which protects ICOs from cyberattack. “It’s also quite hard to make changes to the contract once it goes live, which is why we’ve seen that the funds have been frozen with Parity. This scenario is evidence that it’s extremely important to review the code before a contract goes live to avoid these vulnerabilities.”
The greatest fear associated with a hard fork is that some users will refuse to upgrade to the new software, causing the Ethereum blockchain to split into two. This worst-case scenario happened following the hard fork that recovered funds stolen in the $50 million DAO hack last year, resulting in the creation of Ethereum Classic by users who did not believe a hard fork should be used to edit transaction history — no matter the consequences.
This is not the first time a bug in Parity’s multi-sig wallet code has caused users to lose funds. Earlier this year, an attacker exploited the multi-sig code to steal more than $30 million worth of ether and could have made off with more money if white hat hackers had not drained affected accounts and returned funds to users. At the time, Litecoin creator Charlie Lee said that the breach confirmed that the complexity of Solidity, the native programming language of Ethereum, makes the platform a “hacker paradise”.
However, the exploit could have ramifications for the entire crypto ecosystem. BlockTower Capital CIO Air Paul, for instance, predicted that the fallout from the bug will have negative impacts on all cryptocurrencies — not just ethereum. “A flaw in an ethereum multisig wallet leads both retail and institutional investors to question the security of all wallets,” he concluded.
Featured image from Shutterstock.
Last modified: May 21, 2020 9:07 AM UTC