Unexpected Parity Disparity

The Parity wallet for Ethereum suffered a bit of a catastrophe today. Many ICO projects use Parity to take advantage of its multi-signature capabilities to improve security for shared project funds.

Parity Multi-Sig Wallet Hacked On Accident

Apparently, a newbie coder, interested in Ethereum - devops199 - was looking around in the Parity code, trying out commands to see how it worked. Suddenly, the user made what appears to be an innocent mistake that is currently making them infamous. Without breaching any security parameters, deveop199 seems to have inadvertently executed a fatal flaw in the Parity codebase.

Through a series of actions that still seem like the results should have been impossible, devops199 managed to destroy the wallet's library that stored the smart contracts for everyone using a Parity wallet. As of this writing, a little over USD$150 million worth of Ethereum is locked up, inaccessible to the Parity wallet owners.

What Happened To Parity

Parity had bad problems with exploitable code issues this past July. back then, the culprit was the initWallet function. The gist of the problem is explained here:

The wallet contract forwards all unmatched function calls to the library using delegatecall ... This causes all public functions from the library to be callable by anyone, including initWallet, which can change the contract’s owners.

Back in July, an attacker was able to use that function to gain access to a smart contract belonging to the Parity software suite. The attacker made off with 150,000 ETH - at the time worth USD$30 million.

What happened this time was not an attack, but again this time, the function at fault was initWallet.

Dan Walton explained the issue in this Medium post. It looks like the problem was entirely accidental. That may be good news for Parity wallet owners because the funds in those wallets were not stolen. The ETH and tokens in the wallet addresses are intact; access to those balances is another question.

User devops199 explained the problem in this post, currently #3 on the list of 256 issues with the software. It's certainly one of the more serious. He didn't go into a lot of detail on the actual causes of the problem in that post, but it appears that was because he was too much of a novice to be aware.

What apparently happened was that devops199 called the initWallet function from the wrong directory, and that mistake alone was enough to cause the software to overwrite the entire library with devops199's test wallet. For whatever reason, devops199's next move was to "suicide" the wallet. The result was the destruction of the entire wallet library, achieved solely by function calls within the software.

gregrebholz @gregrebholz 10:12

Parity’s “multi-signature wallet” (designed for shared ownership) can be deployed by anyone, and relies on the already deployed “wallet library” that is the subject of today’s dumpster fire. The wallet library has the “make a new wallet” function in it. devops199 called that function directly, instead of from a new wallet. The library turned itself into a wallet with devops199 as the owner. The owner of a wallet can “suicide” the wallet, which is what he did next.

Many users speculate that devops199 was not as innocent as it appears. Honestly, what difference does it make? No one should trust the Parity wallet anymore. It's possible they will come up with a swift solution to this issue. If so, Parity users should move their funds and never use the software again. This will (and should!) cause irreparable damage to the Parity software developers' reputation.

The harm to their reputation could bleed over into other projects by the team, such as

What's Next For Parity

Parity today issued this "Security Alert", informing Parity wallet owners that they are currently locked out of access to their ETH funds and token balances. The funds affected total up to approximately $150 million in current USD value.

Restoring access to the wallets seems like it must be possible, but so far no one seems to have a clue about how to do that. Already, some users are suggesting that another Ethereum hard-fork is the only way to restore the funds to the wallet owners who had access before this fatal Parity code flaw executed.

The repercussions are casting serious doubts, tanking token prices and raising the prospect of needing another Ethereum hardfork to restore access to the funds, similar to the one taken after TheDAO was infamously exploited. That hardfork spawned the now-rewound ETH fork and the original-but-renamed ETC fork.

I don't have a list of ICO projects affected by the Parity wallet hack right now, but I will update as that becomes available.

Chat about Steem and share a dank meme on my Discord

Keep on Steemin'!