If you are into cryptocurrency or blockchain at all, you will have heard about the Ethereum Parity Bug that has basically thrown $280 Million value or more of Ethereum tokens in the bin.
It’s a bit of a mess really, and a mistake by the developers who introduced it after fixing another bug back in July to do with multisig wallets (wallets which multiple people have to agree to transactions).
You can see the thread on Github here: anyone can kill your contract #6995
There’s a lot of hair-pulling among Ethereum alt-coin hoarders today โ after a programming blunder in Parity’s wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.
Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user calling themselves devops199 had “accidentally” triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods’ own savings.
Multi-signature wallets mean more than one person has to sign off on a transaction before funds are moved, and are popular with companies and investment groups looking to protect their assets. Unfortunately, Parity’s technology is seriously flawed: in July a hacker managed to exploit errors in the multi-signature code to steal about $30m in Ethereum.
In response to that cockup, rity updated its wallet software to address the vulnerability, and rolled out a new version. However, that update contained another disastrous bug, one that would lock people out of their wallets. It was set off by devops199 on Monday, affecting anyone who had installed the new code since its release.
So far it seems this Ethereum Parity Bug has affected 573 wallets, which is quite a lot – shown on the tool to check if you were affected:
This includes the loss of $90 Million or so owned by the Parity wallet owner and Etherum core developer Gavin Woods.
“That code still contained another issue โ it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function,” Parity’s advisory stated.
“It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
In a series of posts on GitHub, devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update.
A full list of 70-odd affected wallets has been uploaded to Pastebin.
Parity has confirmed the above sequence of events leading to this week’s catastrophe with The Register. So far there’s no response on whether it will be possible to unlock the wallets, or if there are any plans to recover punters’ digital dosh. We’ll post more information when it becomes available.
That’s a lot of money that just went in the bin and I’d guess a whole bunch of angry people just went from being millionaires to nothing. I hope those with a lot of coins, who suffered a loss, didn’t invest a lot of their own real World money to get them.
That would be really painful.
It’s also interesting to note that following this the value of Ethereum has actually gone up, maybe because there’s less in circulation now? Or just more people found out about it.
There’s also no real way to fix Ethereum Parity Bug unless Ethereum forks back to before the tokens got wiped out by the bug, which seems pretty unlikely. Also Vitalik has been pretty quiet about the whole thing only tweeting this.
The last crypto thing that most people didn’t know about was that most Bitcoin vendors are actually compromising the supposed Anonymity of using Cryptocurrencies.
Source: The Register