The latest Ethereum Parity wallet disaster, play by play

“I accidentally e-mailed my bank ‘delete’ and they lost everybody’s accounts. I’m sorry i’m just learning banking.” (Powershift)

I spent yesterday afternoon on Twitter and /r/buttcoin, giggling. It was a popcorn overload moment for every acerbic cryptocurrency sceptic who ever thought that immutable, unfixable smart contracts were an obviously stupid idea that would continue to end in tears and massive losses, as they so often had previously.

Someone decided to access a “kill” function on various smart contracts on the public Ethereum blockchain, to see what would happen — just experimenting:

“Will i get arrested for this?” So asks a user called devops199 on parity’s developers real time public chat room, before confirming he called the “kill” transaction which wiped out the code library and froze some 500,000 eth, currently worth $150 million.

“I’m eth newbie… just learning… sending kill() destroy() to random contracts you can see my history” he publicly said.

Devops199 was researching the July 2017 vulnerability in the Parity Ethereum wallet software which had led to $30 million being stolen. Unfortunately, in following the logic of that bug, they discovered that the fix for that problem had a new bug, which they duly reported to the Parity project:

anyone can kill your contract #6995

I accidentally killed it.

https://etherscan.io/address/0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4

I was able to make myself the owner of that contract because its uninitialized.

I made myself the owner of “0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4” contract and killed it and now when i query the dependent contracts “isowner(<any_addr>)” they all return TRUE because the delegate call made to a died contract.

I believe some one might exploit.

Devops199 took ownership of the contract at that address, because ownership had not been initialised, then turned it into a regular wallet address. They tried to back out by sending it a “kill”, which would normally be fine … but the contract in question was a “library” function — a function designed for other programs to use — that turned out to be essential to Parity wallets. With this library function disabled, all the contracts depending on it couldn’t work any more. An accidental left-pad incident in production, where a minor function that was deleted turned out to be a dependency of much more important things.

The Parity project has a detailed post on what happened. “This means that currently no funds can be moved out of the multi-sig wallets.” The total of locked-up funds appears to be on the order of 1 million ETH, or about $300 million. Parity’s MultiSig Freeze page currently says 584 wallets are affected.

Parity was founded by Gavin Wood, who is more or less the second-lead developer of Ethereum itself, and author of the “yellow paper”, the Ethereum protocol specification. Wood also runs Polkadot, whose ICO was very successful; the Ether raised in the ICO appears to be stuck in the locked wallet.

To emphasise that point: smart contract coding is so difficult and unforgiving that even one of the primary developers of Ethereum can’t do it without losing hundreds of millions of dollars to human error.

Artist’s impression of Ethereum, Tuesday 7 November 2017.

Some crypto advocates who’ve been mainlining cryptocurrency ideology — including ones who really should know better, like Emin Gün Sirer — think that this drop in supply will obviously lead to an increase in price, because Austrian bitcoin economics holds this as an article of faith. In real economics, this isn’t how the purchasing power of money works. It might apply if Ether was a highly liquid commodity whose demand was comparable to the supply; in practice, it’s very thinly traded, the total supply is vastly greater than the demand (so hold!) and the price is pretty much made of exuberance.

Some have seriously advocated a rescue fork of Ethereum, though Vitalik Buterin remains carefully noncommittal on the idea. There is a proposal to make smart contracts and locked wallets like this recoverable, though that would require another hard fork flag day, and Ethereum is just stabilising after the last one.

Crypto advocates need to take the next logical step, and admit the possibility that irreversibility, an essential design feature of cryptocurrency blockchains, is the fatal flaw of cryptocurrency that is responsible for most cryptocurrency and smart contract disasters. Pervasive irreversibility has turned out to be a bad and stupid idea.

Did I tell you so? I do believe I spent the entirety of chapter 10 telling you so!



Become a Patron!

Your subscriptions keep this site going. Sign up today!

5 Comments on “The latest Ethereum Parity wallet disaster, play by play”

  1. I’ve only read your first paragraph yet, but I thought I’d mention its gist furiously reminds me of the puns that French throws at cybernetics:

    s’hiberne éthique — “self-hibernates ethics”
    s’y berne éthique — “there fools itself ethics”

  2. It continues to be a disappointment that none of the players in the “smart contract” arena know their history and stuff like the E language and object-capability security. It didn’t have to be this way.

    1. Many do know better – Nick Szabo proposed a formal smart contract language in 2002, and the Ethereum devs have Viper, a non-Turing-complete EVM language – but Ethereum seems to have taken the “worse is better” approach in the quest for widest possible adoption: Turing completeness, a language based on JavaScript that’s easy for middling devs to learn. It’s worked, because Ethereum is the first smart contract platform people actually use, and the overwhelming majority of contracts on it are written in Solidity. The results, however, are … not so good.

  3. Probably we need immutability and irreversibility at the low protocol level and not at the application level? In Bitcoin and Ethereum they’re still one and the same.

    Like an architecture where “the blockchain” just grows a megabyte per day perhaps and only stores merkle roots or some such to provide the integrity for a global distributed database, which is what then provides applications to end users, including chaumian-type digital currencies?

    (kinda what maidsafe is trying to build but failing to do remaining vaporware because they insist on doing without a blockchain datastructure)

    1. At some point you need final settlement, it’s true. But irreversibility at every level just keeps working out badly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.