Approximately $300 million worth of Ethereum has disappeared from the Ethereum network after one stupid mistake. Some are calling for a new hard fork. Others say it’s just part of the volatile world of cryptocurrency.
Today, we’re explaining everything you need to know about the latest Parity wallet hack [not to be mistaken for the $30,000,000 hack earlier].
The story broke on November 7 when a developer going by the name “devopps199” reported the issue on Github. Devopps199 reported the vulnerability that led to the freeze of an enormous amount of Ethereum.
The vulnerability affects any Parity wallet deployed after July 20 – specifically, it affects wallets using the multi-signature functionality. Parity multi-signature wallets require more than one key to initiate and broadcast transactions. It’s meant to be another layer of security preventing funds from being stolen or misused.
In attempting to fix the vulnerability, something horrible happened instead: all funds inside Parity multi-signature wallets have been frozen. This effectively means the Ethereum is trapped on the network. IT cannot be recovered.
Parity constitutes roughly 20% of the network. Some claim that Parity multi-signature wallets account for $100 million of Ethereum. Others claim the number is as high as $300 million.
How this Hack Occurred
This latest vulnerability comes after another Parity vulnerability was discovered earlier this year. Back in July, Parity wallets were hacked and $30 million in Ether was stolen.
Parity patched that vulnerability, and everybody thought the issue was fixed. However, another issue was present in the code that allowed yesterday’s exploit to occur.
In attempting to fix the problem, Devopps199 – who claims he’s new to Ethereum development and new to smart contracts – simply followed the logic of the former hack when he stumbled upon the latest problem.
The end result is that at least 514,000 ETH (worth about $155 million) have been lost.
The hack occurred because Parity’s wallet consists of two parts: a lightweight contract deployed every time you create a new wallet as well as the “library” contract that contains the majority of logic for the wallet. The library contract is deployed only once to reduce gas usage. This works great when implemented correctly. However, this “library” is the part that has the significant error. The “library” can also be seen as a smart contract.
Some are blaming the developer responsible for the error. Others, however, are saying we can’t really blame the guy. Here’s how Sergey Petrov explained it on Medium:
“Can we blame the guy who did this? Someone probably can and will do, but he did nothing wrong. If you leave big red button for launching nuclear missiles available for everyone someone sooner or later, intentionally or not will press it.”
If devopps199 didn’t “press the button”, so to speak, then somebody else would have.
How to Retrieve the Frozen Funds
There’s no way to retrieve the Ethereum without a hard fork. For all intents and purposes, that Ethereum is locked from public access permanently.
Back in 2016, the Ethereum community faced a similar problem with The DAO. An enormous amount of Ether was stolen and frozen. Instead of letting the hacker get away with millions of dollars in Ether, the Ethereum community decided to effectively “roll back” the blockchain to a time before the hack occurred. This required a hard fork. That hard fork led to the creation of Ethereum (ETH) and Ethereum Classic (ETC).
Some are proposing a similar solution with this latest Parity wallet hack.
In fact, some developers claim that a hard fork is the only way to fix this problem. Without a hard fork, these funds cannot be retrieved forever.
Nevertheless, hard forks are a controversial upgrading mechanism due to Ethereum’s history. Many insisted that The DAO was going to be the last hard fork. If we roll back the blockchain every time a vulnerability is discovered, then what’s the point of having an immutable blockchain?
For that reason, many in the Ethereum community are already refusing to execute such an upgrade.
In the meantime, Parity has issued a statement warning users to avoid creating new multi-signature wallets:
“We are advising users not to deploy any further multi-sig wallets until the issue has been resolved, and to not send any ether to wallets that have been deployed and are in use already.”
Parity added that they were “analyzing the situation” and planning to release an update shortly.
In any case, as much as $300 million in Ether cannot be retrieved. It remains to be seen what the community will do about this.