Business 8 November 2017

Cecille de Jesus

Another slip-up: “accidental” kill command freezes $285 million in Ethereum multi-sig wallets

Ethereum smart contracts suffer one expensive bug after another, raising the question as to whether they should be deploying at industry-wide scale at all.

Well, this is embarrassing.

Two days ago, a user who goes by the name devops199 submitted an issue to Ethereum client Parity’s Github repository, saying “anyone can kill your contract” and that he/she “accidentally killed it.”

Another slip-up: “accidental” kill command freezes $285 million in Ethereum multi-sig wallets

The result was that Parity multi-signature wallets froze. The company issued a critical security alert on their blog, saying all wallets created after July 20 have been wiped of their code and are now unusable.

“Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

The locked funds are those that are in multi-signature wallets (or multi-sig wallets), which enable corporations to require multiple signatures before allowing transactions to push through. And as it is a client that caters primarily to corporate accounts, the amounts are in corporate-fund levels, too. Latest reports say the frozen accounts sum up to $285 million, contradicting previous reports estimating the locked amount at $150 million.

According to Parity, the funds are locked and not stolen—as far as they know.

Update: To the best of our knowledge the funds are frozen & can’t be moved anywhere. The total ETH circulating social media is speculative.

— Parity Technologies (@ParityTech) November 7, 2017

Should we keep bailing out erring developers?

While it is the user that triggered the freeze, the accidental discovery of the bug has fingers pointing at Parity devs, especially as this follows yet another mess back in July this year which they mention in the statement above—$30 million worth of Ether (ETH) were stolen due to another bug in their multi-signature contract. Fortunately, white hat hackers were able to recover the funds.

But with this last blunder, it looks like even the white hat hackers are powerless—as the freeze was not a theft but a wipe-out of the code that dictates the libraries how to respond to commands.

The only viable solution being proposed at the moment is a hard fork that will reverse the timeline back to the blocks where the libraries have not been wiped out yet. This will undoubtedly raise a huge division in the community again as this is sort of like the blockchain version of a “bailout.” And since this is a faulty code that was to blame, users may not see a hard fork as the right direction but rather a violation of Ethereum’s pledge of immutability and resistance to control.

This is the exact same predicament that brought Ethereum down to its knees last year—from then over $20, Ether went down to $11 throughout the rest of the year.

This slip-up undoubtedly dethrones that infamous DAO “hack”—which would have cost users around $80 million worth of Ether, and was in fact, not a hack. The attacker exploited a loophole in the DAO’s code, taking advantage of it to siphon out funds from investor accounts into its own account, referred to as the Dark DAO.

The Ethereum community then arranged and urged the community to support a hard fork that would “run time backwards” to a point where the theft had not happened. Some in the community did not agree with this. It was the DAO that chose to proceed with a token sale where they raised over $50 million worth of ETH despite being told beforehand that there were security flaws in their code. Some users felt therefore that the DAO did not deserve to be bailed out of their own mess but rather be taught a lesson. Some were even firm that the attacker should get to keep the stolen funds, since it was acquired with technical legitimacy—the attacker only played by the DAO’s rules, which had a self-destruct backdoor.

The hard fork proceeded anyway to help out affected investors, but this pushed the birth of the alternate chain Ethereum Classic (ETC) as a form of resistance against what users saw as a manipulation—and therefore a violation, of Ethereum’s motto: CODE IS LAW.

Ethereum is not enterprise-ready, despite Enterprise Alliance.

As more and more companies try to build on Ethereum, it’s becoming harder and harder to monitor each and every one of them for bugs and potential risks—that is, considering you even know how to find them. Unless you are a programmer yourself, it’s hard to pinpoint such attack vectors in a smart contract. And there aren’t enough programmers with high enough levels of expertise in the sphere at the moment to fool-proof smart contracts as they arise.

Bugs on Ethereum smart contracts have been consistent and severely costly. The fact that something like this could happen in a snap—in seemingly one “accidental” hand-slip, is absolutely disturbing. It brings to question whether Ethereum’s hasty entry into enterprise scale adoption is premature, as it is lethally expensive.

Obviously, companies and developers are still figuring their way around these things—and that is okay. But is it okay for them to be groping their way around whilst carrying the entire load of investors’ funds which would all go down in flames with them everytime they make a wrong turn?

Accountability in the blockchain era

In the traditional financial system, this is the kind of thing that gets you sued.

But with legislation still lagging behind on covering such scenarios in the blockchain industry, investors are left with no course of action other than pulling their hairs out when f*ck-ups do happen. Some are insisting that we do, indeed, have to start pointing fingers.

“My thoughts are we should seriously consider as a community what the limit of our forgiveness is. At what point do we have to start ostracizing people for security failures? – Vulcanize engineer Rick Dudley to CoinDesk.”

Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.

COMMENT

One other vital bug surfaces for Ethereum shopper Parity - Coin Buzz Feed

[…] the topic of dialog for fairly a while now, and never for good causes. Late final 12 months, an accidental kill code brought on some multi-signature wallets, largely from company accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity | Coin Crypto Rama

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Crypto News index

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Latest Bitcoin News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity - Wiredfocus

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity - Cryptinfo

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Top Coins News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Online Coin News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Coins News Pro

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – BTC News Paper

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – CRYPTO NEWS (DAPPSWARE)

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity | Bitcoin Daily

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – BTC Crypto News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity - BTC News | News Coins

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity | Good Stock Invest

[…] has been the topic of dialog for fairly a while now, and never for good causes. Late final yr, an unintentional kill code triggered some multi-signature wallets, principally from company accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – BTC Net News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Bitcoin News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Coins News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity - CoinPath

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Online Crypto News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – The Coins News

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Coins Magazine

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – Crypto Jurnal

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity | Bitcoin price media

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

Another critical bug surfaces for Ethereum client Parity – CRYPTOTIMES.MOBI

[…] the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, […]

Your comment is awaiting moderation.

34,200 buggy Ethereum smart contracts are in danger, some ‘suicidal,’ study finds – CRYPTOTIMES.MOBI

[…] stays alive but freezes the Ether within it and never lets go of the funds—much like the $285 million Parity lock-up. And unfortunately, Parity hits ticks the criteria not only for the greedy contract classification […]

Your comment is awaiting moderation.

Ethereum devs plead for hard fork to retrieve lost funds – CRYPTOTIMES.MOBI

[…] Levy is not alone. In November last year, multisignature wallet Parity suffered a bug that froze around $285 million worth of ETH at the time, simply due to an accidental kill command. […]

Your comment is awaiting moderation.

Amaury Sechet on Bitcoin Cash smart contracts: simplicity is key to security

[…] Cash network, instead of piling on features that also increase security risks—which made Ethereum the bug and security nightmare it is […]

Your comment is awaiting moderation.

Add a Comment

latest news

South African Cricket Board Twitter account hacked!

Business 15 January 2019

South African Cricket Board Twitter account hacked!

The South African Cricket Board twitter account suffered an attack earlier this week. According to reports, unknown persons hacked the account to run a bitcoin-related scam.

Read More
Bulgaria investigates crypto exchanges to discourage tax fraud

Business 15 January 2019

Bulgaria investigates crypto exchanges to discourage tax fraud

The Bulgarian National Revenue Agency is launching inspections of crypto exchanges to ensure their compliance with the law. Primarily, they will focus on compliance with tax and social security regulations.

Read More
Elections Canada doesn’t think cryptocurrency is money

Business 15 January 2019

Elections Canada doesn’t think cryptocurrency is money

Elections Canada have issued an Interpretation Note of their view of how cryptocurrencies should work as donations, with an invite to the registered political parties to provide their own opinions.

Read More