Well, what a shit show.
(Just wanted to first point out that in any normal industry this would have been the talk of the town for months, but in crypto, we already are forgetting about it 4 days after it happened given the other amount of things happening. Crazy).So, what happened?
: somewhere between $150M and $300M of funds stored in Parity Multisig wallets are now lost (or more specifically inaccessible) .
The latest guesses are around 151 wallets with their balances being 513,743 ETH or $152 million in total. Background:
Parity Multisig wallets are deployed as Ethereum contracts. In July, a hacker exploited the contract and stole around $30M (at the time) worth of Ether. Whitehats came to the rescuse fast and saved quite a lot more.
Parity released a fix, a new version of its library, and all new multisig wallets deployed after July 20th now reference that library (like calling a js script).
Well turns out that even this contract had a pretty giant security bug. According to Parity "it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function."How:
some random newbie who says s/he was trying to learn (but others speculate was trying to find funds in unsecure contracts) became the owner of the contract by calling the function.
Then, they probably panicked and sent a "kill" function.
This has rendered the library unusable and all the wallets that used the library are now f*****.Who's affected:
as we were saying, there are around 150 wallets affected. Ironically, the biggest wallet affected was that of Polkadot, a project developed by Gavin Wood and the parity team. Solutions:
not many really. There are a few scenarios: 1) all the money is lost.
is implemented somehow and the funds are restored 3) an ad-hoc fix is implemented in one of the already planned hard-forks.
To me, #1 looks like the most probable.
we wish we had more time to organize our thinking around such an interesting and important development in the space.
But there are a few easy takeaways:1) Smart contract development is hard!
It's still software development, with the added complexities of it being a completely new world AND one where you can't change what you deploy. Hardware engineers must be rejoicing all over the world (maybe that's where we should be looking for devs.. 🤔).
Parity is probably one of the few shops able to develop complex smart contracts - I mean, Gavin invented Solidity - and they can obviously get it wrong (multiple times).
Does this mean Ethereum suck? Not in our view.
Solidity is a complicated language, and it doesn't make it extremely easy but it can always be improved and we can still make up new languages that compile to the EVM. We did have Serpent, Mutan and more at one point.
This to me shows there are multiple opportunities:
- creating tools for more secure smart contract frameworks
- creating competing multisig wallet tools
- black hat hacking of unsecure fund-holding contracts2) The ETH hard-fork set a precedent
and now everyone is wondering what is going to happen here. We don't have predictions nor particular ideas, we'd like to see what the community consensus is - but we don't think there are the conditions for an ETC-like split with all the options on the table.3) The most interesting thing to me is the relationship between Vitalik and Gavin.
I've always been fascinated by this and can't wait to see how this one will play out.
Gavin Woods was one of the early additions to the Ethereum team (and got the founder title) but left in 2016 when the foundation was short on funds to create Parity.
In his goodbye post he doesn't mention Vitalik, and I've always felt a HUGE tension behind the two.
Now we get to see if there is some sort of power struggle, given that Gavin's interests are pretty big this time around.4) DO. NOT. FINANCE. MEGA. ICOs.
The web3 foundation issued a very short post
saying that the loss of almost $100M DOES NOT AFFECT THEIR ABILITY TO DEVELOP POLKADOT.
So, if removing $100M from their wallet doesn't affect the delivery of the project, why in the world did they need it? AND, more importantly, what were they going to do with it?
This is just a reminder that my opinion on these types of ICOs is that they are pure money-grabs and that there is no reason to finance with so much money such early stage projects.
Bringing a software product to market can cost $200k, $1M, maybe $5M if it's really complex and takes a lot of time, but when you start talking 8 figures, we get into "scaling" area - which should ideally be supported by the project's token reserves (as to have everyone aligned in the growth of the token).
On the topic of security, I suggest giving a look at Zeppelin's slides from Devcon3