On Nov. 6 2:33 UCT, the Parity Wallet software was hacked, resulting in over $150 million worth of Ether (the cryptocurrency of the Ethereum network) locked away, effectively irretrievable. A self-described “Ethereum newbie” developer named devops199 “accidentally” triggered an exploit that turned the Parity library contract into a regular multi-signature wallet, transferred ownership to him/herself, and promptly deleted the code and its contents. The library contract was last updated following the July hack of the Parity multi-sig wallet, but this particular vulnerability passed through nonetheless. 584 wallets were affected, including the wallet for the Polkadot token sale, an ambitious project lead by Parity Founder and CTO Gavin Wood.
The blockchain and cryptocurrency space is not without the occasional hack and exploit of its vanguard technologies. At the current phase of development, many of the protocols, applications, and platforms are in the prototype/experimental phase. Ethereum, a blockchain designed for developers to build and launch decentralized applications (Dapps) has been the home of some of the most notorious hacks in the space. The DAO hack resulted in a massive loss of funds as well as a controversial fork of the Ethereum network into two blockchains–one in which the hack happened (Ethereum Classic) and the other in which the ‘narrative’ was rewritten (Ethereum), erasing the hack from the story of the blockchain ledger.
This rewriting of history has resulted in much criticism thrown at the Ethereum team, particularly Vitalik Buterin, whom many are quick to attack.
I am deliberately refraining from comment on wallet issues, except to express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones.
The only way to revert the hack is to implement what would undoubtedly be another contentious hard fork.
While more details of the hack are sure to unfold, this event has sparked concerns about the integrity and security of development practice within the blockchain space. A supposed “Ethereum newbie” was able to make a change to what is clearly mission-critical code. Most of the hacks in this space do not involve a hack of the blockchain–itself being an immutable, resilient ledger of transactions–but rather an exploit of smart contracts, which are programs which execute on the blockchain and facilitate the movement of assets. Some projects crowdfunding through token sales have been the victim of theft and subterfuge. The attack plane of a general-purpose, programmable environment is difficult to mitigate.
Image via Adobe Stock