A recent software bug within an Ethereum based wallet named Parity has led to funds valued at over $150M permanently locked away. The only suggested solutions are to either perform a hard-fork in an attempt to recover the locked funds, or to respect the conditions of immutability and consider them lost.
There was once a time when the phrase “immutability” and “code is law” was proudly thrown around by the Ethereum and DAO community.
An article focused on the DAO experiment highlights notions of 'code is law' and states that “The DAO represents the first large-scale, public application of code as law.” As many may recall, the DAO failed tragically, remaining to be the crypto version of the Hindenburg Disaster - though thankfully nobody was physically harmed or lost their life as a result.
It seems that code was law - with a small invisible disclaimer at the bottom stating “unless it does not go as planned”. As mentioned post-DAO:
If you are confused about some of the mentioned terms, let us go back and approach this with an overview. Ethereum was launched in 2014 with the promise of allowing smart contracts to be written and executed directly on top of their blockchain. To explain this better, you can look at it as a traditional legal contract digitally format in code as opposed to jurisdictional laws. In contrast to jurisdictional laws, once the digital contract is executed, it is in automation and can not be reversed - much like sending an amount of bitcoin to someone.
The DAO Hack
This created a lot of excitement within the cryptosphere, though the excitement reached a peak when a project proposed that the very framework of its decentralised investment firm would operate on a smart contract. This meant that investors were able to vote on the proposals and overall direction of the organisation without direct human input or board members involved. Your voting weight was dependent on your initial investment. This project was called DAO - Decentralised Autonomous Organisation - and proudly proclaimed that the “code is law”. Unfortunately things did not go as planned and fourteen percent of all Ethereum tokens (ETH) were lost due to a poorly audited smart contract. The response to recover the stolen funds was a hard fork which is referenced to as Ethereum today. Those who refused to sacrifice immutability, a core principle of blockchains, retained the original Ethereum blockchain in the form of Ethereum Classic.
A blog post on the Augur website highlights this event by stating that:
"Rushed code is bad code. The DAO was rushed. The DOS-vulnerable soft fork was rushed. If you ask me, rushing a hard fork would be a huge mistake."
Solidty - Ethereum’s smart contract language - and the contract itself both play a part here. You could argue that a newly developed language without any global auditing or use should have never been tested with a project that raised $150M until it was given more time to find and patch such vulnerabilities. Others may argue that this had nothing to do with Ethereum but rather the way the smart contract was written - despite it being audited by leading Ethereum developers. The strange thing is that even the founders of this project made a post acknowledging the issue days prior to the hack, though this did not change the outcome:
"Our team is blessed to have Dr. Christian Reitwießner, Father of Solidity, as its Advisor. During the early development of the DAO Framework 1.1 and thanks to his guidance we were made aware of a generic vulnerability common to all Ethereum smart contracts. We promptly circumvented this so-called “recursive call vulnerability” or “race to empty” from the DAO Framework 1.1"
So here is where we start to consider some aspects of such situations. To move past centralization we must be able to trust proposed decentralized networks. Bitcoin’s network has been able prove without a doubt that it is capable of handling billions of dollars worth of funds without failure.
The Parity Incident
Ethereum’s smart contracts on the other hand have shown to be vulnerable on several occasions, including the most recent “accidental” kill-switch on Parity's multi-sig wallets which has locked away a large sum of funds as of November 6th. The final figure is still unknown, but speculative figures estimate locked funds to be between $150 to $250m. The number of wallets affected has been officially stated by Parity to be 584. All wallets affected were implementations of multi-sig contracts deployed from July 20th which were created in response to an earlier bug that led to a $32m hack of Ether.
On the latest incident, this is the official statement from the Parity team:
“We very much regret that yesterday’s incident has caused a great deal of stress and confusion amongst our users and the community as a whole, especially with all the speculation surrounding the issue. We continue to investigate the situation and are exploring all possible implications and solutions. Blockchain and related technologies are a vanguard area of computer science. Our mission remains to build software to power the decentralised web.”
For context, multi-signature - also referred to as multi-sig - wallets allow you to share the ownership of a wallet between several people (usually three, though it can be more). It is a very secure approach to handling funds, especially when dealing with ICO or foundation funds. This approach ensures that no one person can sign off on a transaction if they are compromised through a hack or if they choose to run away with the money. Parity is the most commonly used multi-sig wallet when dealing with Ethereum.
You can check whether your Parity wallet has been affected by the recent incident via affected.parity.io.
The conversation now revolves around the proposed solution being a “hard-fork”, following the same trajectory as the DAO incident.
What can we learn from such incidents? For one, Solidity is a new language that has yet been given the time to mature. Until such a time, it will have vulnerabilities and flaws. On the other hand, Parity seems to have patched one bug while missing to spot another.
Hopefully we can see some updates on what can be done and to see funds unlocked and returned to their rightful owners, though at this stage the only viable solution is pointing to a hard-fork.
Featured image from Pexels