Parity Hack May Be As Much As $150 Million, Far Worse Than Dao Disasterbr>
The hack of a Parity Technologies wallet still has not been resolved, and reports from ethereum experts indicate a hard fork in the ethereum blockchain may be required to free frozen funds, which could total more than $150 million. That would make it the biggest disaster in cryptocurrency history, and certainly will put into question the future of Parity Technologies at the last, and ethereum at the worst.
Parity disclosed the issue yesterday in a blog post, admitting a flaw in its multi-sig wallets could cause the contents to be wiped. The wallets use multiple party consents as an additional security measure, but the flaw evidently exists in all wallets created after July 20 of this year. Partity claimed it discovered the problem when one user’s wallet was wiped. It has so far not indicated that any other wallets were affected, but the risks to other ethereum holders using the multi-sig wallet are enormous.
Worse, any ICOs held since the July 20 date may be impacted. That could total as much as $150 million, according to one analyst’s report. However, the true total will likely not be known for some time. Meanwhile, companies that stored the funds in the frozen wallets cannot draw on those reserves. How long those wallets will be frozen has not been revealed.
The flaw is the second suffered by Parity in the last four months. A July theft of more than 150,000 ETH caused by another flaw was allegedly resolved on July 19, or one day before the current vulnerability issue.
If the $150 million proves to be lost, the incident would be far worse than the previous biggest ethereum hack, the notorious DAO incident of 2016.
The DAO, a decentralized, open source code, was a blockchain that sought to back ethereum projects. It was crowdfunded in May, 2016, and at the time, was the largest crowdfunding campaign in history.
However, in June of 2016, a vulnerability in the code exploited by hackers allowed them to take one-third of the DAO’s reserves, an estimated $50 million. The cure was an ethereum hard fork to restore funds, splitting ethereum into two camps, with the original called Ethereum Classic.
Parity issued the following blog report on the latest incident:
“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July,” said yesterday’s blog post. “However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
Martin Holst Swende, the head of security for the Ethereum Foundation, said in a published report that any resolution to the problem requires a hard fork, as there is no way to recreate the code and make the funds accessible without that tactic. Such an upgrade would require changes across the ethereum blockchain.
Meanwhile, companies with frozen funds are in limbo, unable to access funds raised for development and operations.
Ethereum cofounder Vitalik Buterin said on Twitter today that he would not comment on the exploit. “I am deliberately refraining from comment on wallet issues, except to express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones.”