Let’s stop underplaying the severity of the Ethereum Parity multisig exploit
Many Ethereum advocates are underplaying the severity of the recent Parity multisig exploit that saw ~153,000 ETH stolen by blackhat hackers, and another 377,000 ETH + $80M USD or so worth of Ethereum-based tokens “stolen” by whitehat hackers. (I put “stolen” in scare quotes because the expectation is that the ETH and tokens will be returned to their original owners in due time.) For some fun FUD, contemplate the following quip: “$150M is enough ink to turn any whitehat black.”
Let’s list some reasons why this really is a big deal:
- Parity Technologies: The multisig code was from Parity, a company founded by Gavin Wood, Ph.D., one of the co-founders of Ethereum. It wasn’t some low-profile code.
- Ethereum Projects & ERC20 Tokens: The multisig code was trusted and used by dozens of high profile Ethereum projects, including ICONOMI, Basic Attention Token, GNOSIS, Golem, etc. All of these projects had some amount of their tokens stolen. In the cases of ICONOMI and Basic Attention Token, it was roughly $30M each. Yes, $30M each, all in one shot.
- Blackhatters may have strategically limited their attack to ~153,000 ETH: Based on the transaction history of the blackhat address, the blackhat hackers, according to some observers in the Ethereum community, may have actually limited their attack in order to not damage the price of their stolen assets. That is, they limited their attack in order to minimize the risk of a hard fork response (as was done in response to TheDAO exploit back in 2016). So, it only seems “not so bad” (read: $32M bad) because the blackhatters let it be that way.
- Poor security practices all over the Ethereum ecosystem: The exploit revealed some poor security practices among many Ethereum projects, some of them otherwise highly esteemed. In short, it shouldn’t be possible to siphon off millions of dollars worth of holdings in a single swoop. This is the result of “putting all your eggs in one basket.”
- TheDAO vs. Parity Multisig Exploit: Many Ethereum advocates are arguing that analogies between TheDAO exploit and the multisig exploit are unjustified, since a much greater percentage of ETH was stolen during TheDAO exploit (~5% of all ETH) than was stolen here. They rightly point out that looking at the two incidents in terms of USD skews the scale of these events. That is right in terms of monetary value. However, they fail to note how much more systematic and wide-ranging the multisig exploit was. It affected at least 30 or so Ethereum projects, all in one hit. It wasn’t as deep, but it was much wider.
- Whitehatters holding the ETH is not much better: The fact that so many people have found comfort and are acting like everything is fine because whitehatters captured the bulk of vulnerable Ethereum assets is startlingly naive. At the end of the day, these are the facts: A gigantic sum of ETH and tokens are currently in the hands of people who should not officially have them. Indeed, many official addresses (development pools, company reserves, etc., that were endowed by recent ICOs) literally show balances of ZERO. This was a brush with death.
Remember, Ethereum is a blockchain app platform; it isn’t supposed to merely be a currency. Its value is supposed to be derived from the apps/projects built on it that give it any sort of utility. (Otherwise, one could just use Bitcoin, Litecoin or whatever other coin.)
If these apps/projects are going to constantly be under threat, then Ethereum will never be able to seriously get off the ground. This is a hit to public confidence and faith in Ethereum as a dAapp platform.
Now, there are reasons to think this will blow over and Ethereum will be stronger in the long run because of it. Hopefully the community will learn from this and implement better practices. After all, mistakes are inevitable. It’s just a little frightening when the mistakes are this big and involve such big names.
These events shouldn’t be taken lightly; they are a harsh reminder of the perennial tradeoff between liberty and security.
