Ethereum Slides After Coding Bug Freezes Wallets Containing $280 Million

Tyler Durden's picture

In a vivid reminder of the risks involved for cryptocurrency investors, Ethereum slumped on Tuesday when a critical security vulnerability in multi-signature wallet belonging to London startup, Parity Technologies, was triggered on 6th November, paralyzing wallets created after July 19, and freezing tens of millions in ethereum. Parity is the same company whose coding error helped hackers steal $30 million worth of ethereum; on Tuesday, the company admitted it was facing more security problems.

Parity issued a "critical" security alert to inform its users about a bug that got "accidentally" triggered which resulted in freezing more than $280 million worth of ETH, including $90M belonging to Parity’s Founder & Ethereum former core developer, Gavin Woods. In the statement, Parity said that it had fixed the vulnerability that led to the original, July hack, but failed to catch and repair another weakness that allows users to rewrite code and take ownership of wallets that don’t belong to them. As a result, Bloomberg notes that many users found themselves unable to move funds out of their wallets because important code was deleted.

Ironically, Parity advised users not to deploy multi-signature wallets - the type impacted by the latest vulnerability - until the issue has been resolved. Multi-signature wallets are supposed to add an extra layer of security, as they require multiple verifications to confirm a transaction. The company hasn’t yet disclosed how many people have been affected.

Affected users: Users with assets in a multi-sig wallet created in Parity Wallet that was deployed after 20th July.

 

Following the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue - it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.

A user named devops199 claimed he triggered the bug “accidentally” and reported it through a GitHub ticket.

The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized. Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts. The event occurred in two transactions, a first one to take over the library and a second one to kill the library - which was used by all multi-sig wallets created after the 20th of July.

Among those impacted is the Web3 Foundation which is working with Parity to build a blockchain network called Polkadot. "The multi-sig used by the Web3 Foundation to accept contributions for Polkadot was one of those affected, putting the ETH in it beyond access," the firm wrote. "The affected multi-sig wallet does not contain all of the Web3 Foundation’s funds; our ability to build Polkadot as planned and to the original timetable has not been affected."

The new vulnerable contract has been deployed more than 100+ days ago on July 20th, one day after the original multi-sig vulnerability had been exploited and fixed.

“A code has a library path. Somewhere in that path, someone removed one of the libraries. As a result, the code doesn’t work, and as a result of that, the money is frozen, which can be fixed," David Mondrus, chief executive of Trive, a blockchain-based research platform todl Bloomberg. "It does show the difference in performance and safety between hardware and software."

Contacted by Bloomberg, Parity spokeswoman Helena Flack said "We are still working on the final number and do not want to release any speculative figures."

More importantly, however, Flack said that "no ether has been stolen." That should ease the nerves of some cryptotraders who sold off Ethereum this morning when the news spread, sending the price from above $300 to the mid-$280.

As Matt Suiche concludes, "even though the vulnerable smart-contract was open source and deployed months ago, this bug managed to escape code review done by the Parity team. Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens.

We have seen a lot of enthusiasm from a lot of people about blockchain-based smart contracts, and the general assumption from users is that they would be secure. But just like any other piece of software a smart-contract can be vulnerable. All the recent security issues around smart contracts are challenging more and more the sustainability of storing money on a blockchain-based software layer.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Late onset ADHD's picture

HAHAHAHAHAHAHA...

hit me in the head with a brick of reality... actually that's not necessary - it's rhetorical...

DisorderlyConduct's picture

Like I've said before. Free code is worth every penny.

Bokkenrijder's picture

Tmosley, where aaaaaare you?

BTFD? /sarc

Manthong's picture

 

??   How do you spell “counter-party risk  ?????

Buckaroo Banzai's picture

First, Ethereum uses different technology than BitCoin.

Second, this technical fuckup resulted in a whopping 3% drop in the fiat price of Ethereum.

 

Manthong's picture

Hey, what’s a couple tens of trillions between friends?

… or even a scarce, energy intensive  21,000,000 electrons (oops, sorry maybe by at least 256x).

 

Oh.. sorry sir… I lost my electrons in a boating accident…….

..but at least I got a charge out of it.

 

eforce's picture

And then there was that quote from the Ethereum fuhrer leader who wanted to hire that Twitter censor.

Gap Admirer's picture

My Beanie Babies are still secure and holding their value...

Bitchezzz.

IH8OBAMA's picture

If someone - anyone - is allowed to rewrite (correct) the code how can it really be secure?

Luc X. Ifer's picture

This is only one aspect however, it can be easily managed in the OS world - just have a look for example at Linux kernel or other components of the Linux ecosystem known for robustness. Robustness is what makes all the difference and designing the code and the processes surrounding it requires discipline, attention, experience and humbleness - problem is only genuine senior professionals exhibit them and very, very few youngsters active in the field. I'm totally in the Blockchain bandwagon and I see an awesome future resulting from the introduction of this paradigm, I admire Vitalik Buterin for the talent and work he put in the Ethereum whitepaper and initial prototypes however, I become pretty soon skeptic of Ethereum due to a list of choices they made process, platform and architecture wise - and I am till now, actually for the last few weeks I was talking with my buddies about the inevitability that something bad is going to happen technically in the near future to Ethereum, honestly I didn't expected it to be so soon, but the writing was on the wall. Basically, their mistake is that they let themselves dragged by the youngsters typical spirit of non contained adventure, humbleness is a learned virtue acquired with the age and known not available especially in the youngsters enjoying huge success and ascension on a short time period. Ethereum first and major mistake was choosing Go Lang ecosystem, Go Lang is extremely good at delivering tools certainly in the boundaries of defined, known ahead of time problems. Go Lang is catastrophically bad when you hit a wall due to requirement or new features need extending into a not known at initial design time area. Go Lang was by design created as such with very thin support for modeling high abstractions especially because it was desired to be a platform to deliver firm defined tooling level solutions not products which require continuous extensions potentially reaching new paradigms and scalability challenges. The correct solution for Ethereum I support my point even now would have been C++ for best of modeling/performance bang or JVM/Scala for a little bit less performance but tremendous easiness to scale architecturally where an innovative product like Ethereum would go sooner or later.

Sir Edge's picture

 

Fascinating Diagnosis Luc...

...........Could you opine on Stratus and their use of C# as their lang tool ?

https://stratisplatform.com/

 
Edgey..

Have Code - Will Create

OpenThePodBayDoorHAL's picture

A contract is something that doesn't change. If it did you would call it something else, an "arrangement" or something. Software, however, must change, there are always upgrades, bug fix (!) and the like. Software that can't change is a really bad idea. So precisely how do you mix something that can't change (a contract) with something that must change (software)? And make it always and permanently backwardly-compatable? 

Luc X. Ifer's picture

Exactly. This is the main Go Lang problem due to lack of support for complex and heterogeneous abstractions and multiple paradigms. Tackling on new problems non specific to the scope of design of the Go Lang platform is excruciating hard and can be credited only to very experienced people knowing expertly level not only the Go Lang but also the proper paradigms to emulate. Also, to cover some of these paradigms you need typical to the paradigms testing support so, that is not existing in Go Lang. Bad, bad, poor choice.

PhiPhi's picture

Laws can change invalidating contracts or contract clauses.

CH1's picture

Cause engineers are never able to fix their errors. Right?

Haters hate. No surprise.

Manthong's picture

 

..depends upon the error code....    :-)

VD's picture

reposting from my previous comment -- this is all part of the endgame, NOT limited to Ethereum!

 

"

btc already is segwit hacked; so btc should really be called segwitcoin.

do you know what segwit is? do you know what it does? do you know who is behind Blockstream, the co that hacked btc w/ their segwit by convincing miners to agree to it? hint: AXA. & you probably also don't know that Blockstream owns the segwit patent, ergo, they in effect own btc = segwitcoin. (segwitcoin didn't even solve the quadratic hash issue [in an efficient manner, esp going fw, assuming it does].)

do you know that if miners agreed to segwit, as they did, what that implies for the whole chain? hint: the miners, if they agree as they did to allow for this hack, can now also agree to steal btc balances ("terrorism", "fraud" and all the other statist excuses now in the "decentralized" blockchain.)

do your due diligence. btc is now officially a bankster owned scam. segwit2x is more of a distraction, since the btc is already compromised.

 

ps: segwit was a soft-fork and as such will forever remain as part of the btc chain, even w/ future soft-forks (which can further subvert the chain a la said segwit). you can't un-hack or "uninstall" segwit in btc, or segwitcoin.

 

who controls AXA, which in turn controls btc? hint: Bilderberg Group. Don't believe me? please look up Henri de La Croix de Castries, CEO of AXA."

SILVERGEDDON's picture

Well, Buckaroo, tell that to the wallet participants who either cannot access their funds for a timeline somewhere between months and never before these fucktards technically un fuck their "secure" shit. If you were an empty bag holder right now, you would be singing a different tune, thats for fucking sure. 

tmosley's picture

Only an idiot (like you) would trust a company like this with their coins after the first collosal fuck-up.

They have been conducting code audits in house, rather than having other reviewers look at it. Full retard.

SILVERGEDDON's picture

tmosley, let me be perfectly clear.

I trust any crypto about as much as I trust the paper shit your all seeing eye is printed on, or about as much as I trust your investment advice. 

Slow but steady value wins the race.

Knock yourself out chasing another bubble - this one was farted out of the crypto  investment tub bubble bath though I think.

When it pops, it ain't gonna be pretty.  

CH1's picture

How do you spell “counter-party risk”   ?????

D O L L A R.

Michigander's picture

OOH..my ETH is down...wait for it...3%. Fuck all you blindered oldbugs. If you actually think this meets the definition of counterparty risk, then please allow me to introduce you to YOUR counterparty risk

JP Morgan

Goldman

CME Group

Barclays

Scotia Mocatta

Deutsch Bank

I'll take a fixable mistake in code as my counterparty risk 1,000 to 1 over yours.

SILVERGEDDON's picture

Well, fuck, meet dick. Head, that is.

Commodities investors wouldn't trust your list of thieves with a used condom. 

If you don't hold it, you don't own it.

Fucking know it all kids these days - king of the world until the world turns upside down.

Them, blubbering fools under a table with play-doh, scissors, a puppy, and zero funds.  

CH1's picture

Tmosley, where aaaaaare you?

Hating Jews in another thread.

tmosley's picture

Do you think that this article somehow negates my thesis?

If so, present an argument to that effect.

CH1's picture

Actually, I think you've been right on cryptos. But I also think you're an obsessive hater of Jews. 

tmosley's picture

The reply wasn't to you.

If you woke up one day and found that a cult that preaches some of the most vile things imaginable (including that fucking babies three years and a day old is "as nothing" and that the Virgin Mary was a whore) had taken over your civilization, what would you do? Profess your undying love for those who think themselves your masters?

IH8OBAMA's picture

I love it when the Bitconers fight amongst themselves.

 

tmosley's picture

If you think that is a fight, you are retarded.

But we already knew that about you.

Some people can discuss their difference of opinion without clawing each other's eyes out. CH1 is not a peanut, like so many others here (some bitcoiners inclusive).

IH8OBAMA's picture

And there you go again with personal attacks just like a libtard would do.

 

tmosley's picture

>only libtards call people names
>calls someone a name in the same sentance.

WEW.

Grave's picture

shithereum is no bitcoin.

it has poor security and bad design, fundamentally flawed on the lowest level. its no longer immutable, cronies have been bailed out by owners ("developers")
it is banksters "answer" to bitcoin, just like number of other shitcoins and all the shitfork hostile takeover attacks, in desperate attempt to fight the rise of bitcoin.

debtfiat and the entire bankster racket died on 3rd january 2009 when the genesis block of bitcoin was mined.

CH1's picture

a cult that preaches some of the most vile things imaginable (including that fucking babies three years and a day old is "as nothing"...

And you believed that shit? That's a collection of the worst things ever said by the stupidest Jews in history. (Tens of millions of people over centuries can produce a lot of stupidities.)

I encourage you to sit in a synagouge and listen. You will NEVER hear such monstrosities.

tmosley's picture

I was unaware that the highest holy book of the Jews, the Talmud, was a collection of quotes from "stupid Jews".

CH1's picture

Please stop believing whoever told you that. It's plain bullshit.

The Talmud is NOT "the highest holy book." It's a HUGE set of books containing arguments over hundreds of subjects, going back some 2000 years. And yes, some of the arguments were from stupid people.

And, fwiw, lots of things that people claim are in the Talmud, are not. It's such a huge thing that no one has time to prove the other person wrong.

tmosley's picture

Jews seem to take deep personal offence at swipes at the Talmud. You "fine" folks seem to always find your way in and then you take over, don't you?

CH1's picture

If you want to believe hate-engendering delusions, I can't stop you. If you want to learn the truth, start going to synagouge on Friday nights.

Give a shit or don't.

nomofiat's picture

Hey dude, it's your favourite jew calling in.

we are fucking babies now? This is news to me. Do you have any links?

You do know that, us jews, we run crypyto. How are your iota's doing? mwoehahaha

 

 

tmosley's picture

This is the typical level of discourse I have seen from kikes.

Can't easily post links from my phone, but the NY Post, I believe it was, had an expose on Jewish pedophilia in NYC a few years ago. "Stuck like a pig" is not a phrase you want to hear in regards to a young boy in a sauna with a rabbi.

VD's picture

jewz rule.

that is all.

tmosley's picture

Good for everyone to know where your loyalties lie.

SILVERGEDDON's picture

tmosley don't like the hood chocolate Jesus types much either. 

tmosley's picture

I like them just fine. I just know what they are.

I like dogs too. But I wouldn't trust one to be able to survive without someone to take care of them. And I sure wouldn't want them being given a bunch of rights they don't need or deserve.

SILVERGEDDON's picture

tmosley don't like the homey in the hood chocolate Jesus types much either. 

That don't make him a bad man - just his bubble pimping is not so much smart.  

ultraticum's picture

Lemme guess:  You are a user of the proprietary Apple walled garden, tool of the NSA.  Right?