Bug that deleted $300m could have been fixed months ago

All of you unfortunate holders of frozen ether, there’s no sign of a thaw anytime soon… sorry.

It wasn’t phrased that way, of course, but that was probably the most significant takeaway for holders of the cryptocurrency that uses the Ethereum blockchain after a lengthy “postmortem” issued on Wednesday by digital wallet company Parity Technologies Ltd.

This comes a little over a week since somewhere between $160m and $300m was frozen thanks to a user exploiting a bug in the Parity Wallet library contract.

While the post said Parity “deeply regrets the situation” and is “working hard to explore all feasible solutions,” it has no date when anything like that might happen.

There is no timeline for when such an improvement proposal could be implemented; we will follow the will of the community and go through the regular EIP (Ethereum Improvement Proposals) process like any other protocol improvement.

But perhaps an even more important piece of bad news was that the freeze shouldn’t have happened at all. As Parity acknowledged, a Github contributor called “3esmit” warned it about the flaw in August 2017 and recommended a code change.

The company said at the time that it considered it only as a “convenience enhancement,” and not an exploitable bug.

Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time.

Obviously that future point in time had not arrived by 6 November, when a user identified only as “devops199” discovered what he apparently thought was a multi-sig Ethereum wallet (requiring more than one owner to “sign” a transaction before it can proceed) and took ownership of it by calling a function known as initWallet.

Turns out, devops199 had actually become the owner of a code library for Parity multi-sig wallets. And then he decided to kill, or “suicide” it. As Parity put it:

Subsequently, the user destructed this component. Since Parity multi-signature wallets depend on this component, this action blocked funds in 587 wallets holding a total amount of 513,774.16 Ether as well as additional tokens.

Which, as Jordan Pearson of Motherboard observed after reading the postmortem, “doesn’t look good.” At midweek, ether was worth $330.50.

At the time of the freeze, users were both angry and aghast. Pearson noted that a commenter called “1up8912” on the Ethereum subreddit wrote:

I know it is easy to be smart in hindsight, but these are huge design errors, I can’t comprehend how could this pass reviews in the architecture phase.

According to Parity, the original “Foundation” multi-sig wallet code was, “created and audited by the Ethereum Foundation’s DEV team, Parity Technologies and others in the community,” but was later restructured into two library contracts.

One of those, a “smart contract, containing the majority of the wallet’s logic” contained a fatal flaw:

In an attempt to stay as close as possible to the original audited smart contract, as few changes as possible were made to derive the library contract. This, however, meant that the library contract had the same functionality as a regular wallet and required initialization. It therefore also still contained the original self-destructfunction that is designed for retiring the wallet.

But after a hack on 19 July 2017, in which hackers looted $32m in ether from multi-sig wallets, the library contract was, “fixed and redeployed” the next day. It is the wallets created after that day, with the flaw noted by “3esmit”, that are affected.

Supposedly the whole thing was an accident. Devops199 posted on Github under the heading, “anyone can kill your contract” that he had killed the library inadvertently, and then later in a tweet that, “I’m eth newbie .. just learning.”

That didn’t fly with Kosta Popov, founder of Cappasity, who had about $1m in a now-frozen Ethereum multi-sig wallet. The Register reported he believes it was “deliberate and fraudulent.” In a statement on his company website, Popov wrote:

Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate. When you are tracking all their transactions, you realize that they were deliberate… Therefore … we suppose this was a deliberate hacking.

While Popov also wrote that, “contacting law enforcement might be the right next step,” so far, there doesn’t seem to be much interest, at least in public, from Parity in tracking down devops199. The company did not respond to an email seeking comment.

In a “locking-the-door-after-the-horse-has-bolted” move, Parity said it is:

…removing the ability to deploy multi-sig wallets until we feel we have the correct security and operations procedures in place so that we can be confident this will not happen again.

Even more important than that though is what Parity intends to do to fix the broken processes that led to the buggy code being deployed, and vulnerability report being misunderstood.

On that, Parity says it is:

..commissioning another full-stack external security audit of all existing sensitive code including secret management, key generation and password management, signing and auto-updating.

We will be putting significant efforts and resources into reviewing our processes and procedures internally and have a team specifically dedicated to operational security. This team will be expanded as necessary and we will have resources at its disposal. The team will be tasked with reviewing and maintaining critical parts of Parity Technologies’ offering.

Which must be some relief – to those whose currency didn’t get frozen.