Parity Flaw Lets Amateur Dev Lock Away Millions’ Worth of ETH
November 6, 2017, will go surely go down as a day of infamy for the Ethereum community.
On this day, a user accidentally locked away all ether (and tokens) inside of every Parity multi-sig wallet. Right now, the amount of funds that have been locked away top a whopping $300 million U.S. dollars.
But how was this possible? How is Parity being rocked by a major debacle once again after they were already shaken by a major bug back in July?
Let’s bring you up to speed on all the major details of this astounding story.
How the flaw unfurled
“devops199,” a developer who’s described themselves as being new to Ethereum, was exploring the Parity GitHub repository when his curiosity took a turn for the catastrophic.
devops199 was able to take control of one of the main libraries that Parity’s multi-sig wallets run on, at which point he sent a “kill” command to the library—destroying it and blocking thousands of users from being able to access their crypto holdings.
As devops199 infamously explained, “I accidentally killed it.”
The bug, here, was that Parity had that particular library uninitialized and thus anyone was able to take ownership of it. devops199 did.
The second critical error was that devops199 had the not-so-genius idea to send a “kill” command to the library, something no Parity dev (or anyone else, really) would’ve ever done under the same circumstances.
Think of it like devops199 pressing an individual delete button for every Parity multi-sig wallet. It’s not literally what he did, but it’s what he did in effect by deleting the library in question.
Such a valuable library shouldn’t have been uninitialized in the first place. The responsibility for that lies squarely with Parity.
For now, it looks like anyone and everyone who held their ether and ERC-20 tokens in a Parity multi-sig wallets are affected by devops199’s deletion.
Notably, Parity users who weren’t holding their crypto in a multi-sig wallet aren’t affected.
Current estimates place 900,000 ether (+$300M) as being locked away from the flaw. This means a range of members from the community have been affected, from individual investors to ICO projects like Polkadot.
Parity’s warned the community that users should avoid creating or sending money to Parity multi-sig wallets for the indefinite future:
We are asking for everyone to be patient until the full extent of the issue has been identified and we will communicate any necessary instructions or advice. We are advising users not to deploy any further multi-sig wallets until the issue has been resolved and to not send any Ether to wallets that have been deployed and are in use already.
Potential hard-fork looms
It’s unclear for now how these 900,000 ether can be recovered short of a hard-fork. The Ethereum community is seemingly going through a larger and stranger replay of the DAO hack and ensuing hard-fork, except this time it wasn’t a hack … it was devops199.
Ethereum Foundation security head Martin Swende has already chimed in, arguing that he sees a hard-fork as the only remedy going forward:
There's unfortunately no way to recreate the code without a hard fork. Any solution which makes the locked funds accessible requires a hard fork … I'd like to see this spearheaded by the affected parties, not the foundation.
Ethereum creator Vitalik Buterin is largely staying mum, seemingly letting the community work through the problem democratically.
If a hard-fork were to occur, an Ethereum Classic-like situation could be possible. Non-affected ether holders would end up with two coins with as-yet determined worth, all depending on the contentiousness of the fork.
Bad year for Parity
This latest incident marks only the second major flaw that’s rocked the Parity user base in 2017.
Back in July, you may recall how hackers were able to penetrate Parity’s multi-sig wallets, making away with a $30 million crypto heist.
Now that this second catastrophic bug has actualized, Parity will surely face difficulties in being seen as a viable wallet provider in the months ahead.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.