CRYPTOCURRENCY SOFTWARE OUTFIT Parity Technologies has fessed up to knowing about the bug that led to about $280m worth of Ethereum being frozen.
Earlier in November, a user known as devops199 was able to take ownership of a particular piece of code (the ‘library' smart contract, a shared component amongst all Parity multi-sig wallets) and then destroy it. Whether this was done purposefully or not has not been established.
The effect of that action was to block the contents of 587 wallets holding a total of ETH513,774.16, Parity has said in a post-mortem blog of the incident.
The issue only affected wallets created on or after the 20 July due to the use of new code. This code, written to be as similar as possible to the original 'stub' smart contract deployed with each new wallet, had the same functionality as a regular wallet and contained the self-destruct function.
Parity says that it was warned about the issue (of someone being able to take control of its library contract) in August. The developers acknowledged the bug and flagged it to be fixed "at a future point in time."
"In August, a Github contributor called ‘3esmit' recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement," Parity said.
"Thus, we committed this proposed enhancement to the library contract that would automatically initialise it by calling initWallet on construction. Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time."
The company went on to examine the ways in which the exploit could have been prevented.
"There are essentially two main ways this exploit could have been avoided. If the contract code had not included the functionality to suicide or kill, even if someone had taken ownership, they would not have been able to do anything," it said.
"The kill functionality was a remainder of the original audited contract. The other way would have been for the wallet initialisation to have been done as proposed by 3esmit, either automatically through the code change and re-deployment or manually on the contract deployed in July.|
Parity "deeply regrets" the situation and says that it is working to unlock the frozen funds.
However, at this point, it has no fix for the issue. It is considering several Ethereum improvement proposals and has stopped issuing multi-sig wallets; the firm is also carrying out a security audit of its existing sensitive code. µ
What could possibly go wrong...
Committee clams firm failed to implement 'adequate security'
Meme Ban means Meme Ban
It's anonymous data at first but the NYT figured out how to make it personal