Ethereum client, Parity, experienced another vulnerability in November 2017; this one, much larger than the first, with the total amount of stolen tokens valuing 514k ETH (c. $155M).
The previous Parity hack took place in July 2017 when three wallet accounts holding significant amounts of ETH were compromised and the balances moved into accounts held by the hacker. This was a result of a bug found in the multi-signature (multisig) wallet code, used as part of the Parity Wallet software.
The November hack was also the result of a vulnerability in its multisig wallet. The multisig wallet by Parity is made up of two parts: (i) a lightweight contract, deployed each time you create a new wallet; and (ii) the ‘library’ contract, which is deployed only once, but contains most of the wallet logic. If the library contract is implemented correctly, it makers it speedier every time you want to create a new contract. However, you guessed it… this library had a significant error and it went “dead”, as did all the tokens stored on its dependent contracts.
When Parity’s developers deployed common code as a ‘library’, they actually deployed an uninitialized wallet, meaning that the wallet could subsequently be initialized. An unidentified user went ahead and did so, and in gaining access to the contract, effectively made themselves an owner, allowing them to delete critical code and effectively kill the library contract. As all the other Parity multi-sig wallets depend on the library contract, they were frozen, blocking account owners access to their Ether funds.
In a statement issued at the time, the company said, “The team is working on a broadly accepted solution that will unblock the funds.” In seeking to reassure customers, they added, “Moving forward we will further improve our process related to the development of mission critical code and work together with the community to make core infrastructure more secure.”
According to Business Insider and other sources at the time, Parity was contemplating a so-called hard fork in the blockchain. Martin Swende of the Ethereum Foundation told ETHNews that such a move was the only way to unfreeze the wallets. A hard fork would entail forcing the digital ledger to return in time to the moment before the critical code was deleted. It would then create a new, second path from that one, in which the accounts were never frozen. Sound like a science fiction movie?
Technically, hard forks are not that difficult to undertake; to users, they look like a software upgrade. However, they are controversial within the blockchain community as people fear that the use of frequent forks will compromise the integrity of and support for Ethereum, possibly reducing Ether’s value.
The challenges of a hard fork “are more of a political than technical nature,” Swende told EthNews.
Apparently, Parity was considering pushing for the hard fork to be part of an already scheduled security update called EIP156.
There has been anger in the blockchain community over Parity’s second stumble involving vulnerabilities. Sergey Petrov on Medium wrote, “Personally, for me, they lost credibility after the first vulnerability in July, but things are much worse, they still used their own version instead of community audited version.”