Multi-Sig — Identity and Ethereum Are NOT Compatible

You’ve likely heard about the Multi-Sig problem. I’m not diving into it other than as a lesson for those that are working towards Self Sovereign Identity. The Multi-Sig story is a cautionary tale that adds evidence to my claim that Ethereum is ill-suited for underpinning self sovereign identity.

The links at the end of this one goes deep into technical detail so I’ll sum up the situation here.

Smart contracts are the rage in the Ethereum space. It is very early days but I believe the isde of Smart Contracts holds value. But damn are the consequences of coding mistakes huge. After the DAO flaw resulted in a hard fork of Ethereum ( ) you’d think that people would have learned. Nope.

Let me digress a smidge here on Identity in the Ethereum world.

I’ve said before — Ethereum is flawed as a layer to anchor digital identity to, especially Self Sovereign Identity. Ethereum is a compute engine and Ether is a store of value. Ethereum is not something made to underpin a global digital identity platform. My main practical problems are speed and cost related. Ethereum is slow and the costs (the “gas”) for each transaction make it a certain failure for privacy protecting identity — people will do stupid things to save money and I don’t blame them. There are other flaws but I’ll sum it up for my readers — if you’re doing Self Sovereign Identity — pick a different ledger and technology.

OK — back to the problem.

ParityTech — ostensibly one of the best Ethereum developers — created a multiple-signature wallet that would require multiple people to “sign” in order to make a transaction happen. Think of this as needed multiple signatures on a check or multiple approvers on a wire transfer. Great idea. The rationale though was apparently to save gas — each signature would require “gas” — so why not bundle them up to reduce the Ethereum gas cost (that’s the latest Reddit theory answering the “why the hell would you do this that way?” question).

Fast forward a bit — a flaw is found (the 2nd major one in Multi-Sig) and a developer, as a matter of testing a theory that something is up, runs a command. The developer wanted to see if his theory that taking over a wallet was possible due to the flaw. BOOM. It was possible. BUT — the wallet that he ran his test against was the MASTER WALLET. Then he wiped things in a panic and locked that master wallet — the Smart Contract that runs all the Multi-Sig wallets. That locked everyone out.

CONSEQUENCE: All users of the Parity Multi-Sig have had their accounts FROZEN. Approximately USD$150M in value at time of writing.

The smart contract that controlled the wallet had a flaw (another — see my last point in this piece), which given the early phase of Smart Contracts and how folks are coding, isn’t a surprise. The consequences of that flaw are enormous. What would having ALL of your currency locked up do to you and your organization? Nothing good.

My advice: Stay away from Ethereum unless you really know what you’re doing and whatever you do — do not pin digital identity to it, especially a Self Sovereign Identity. If your solution is already tied to it there are ways to move but that goes beyond this article.

So why don’t I like Ethereum as a blockchain to underpin Identity?

  • Too Slow — measuring transaction blocks in portions of minutes means it is too slow.
  • Ethereum doesn’t have the throughput — there is a limit to how much information can go into a block. Identity needs massive numbers of tiny transactions.
  • It is expensive — a privacy-respecting approach of not reusing identifiers uses a ton of tiny transactions.
  • Smart Contracts do too much — The idea of Smart Contracts has power, but Self Sovereign Identity needs to be principally a trusted data store — not a generic computer. The brains live at a higher layer, so the Identity ledger can remain simple — a fast, inexpensive, immutable, and trustable source of truth.

I think you get the idea…

More Detail on the Multi-Sig Hack/Mistake:

  • TechCrunch — semi-technical coverage of the issue.
  • SpringRole — more tech detail
  • This was the SECOND hack of the Parity Multi-Sig wallet. It was hacked in July 2017 as well. 153K Ether (~USD$46M) involved at that time.

NEWSLETTER: I have a free newsletter that I use to share key information about Self Sovereign Identity and key Blockchain trends. If you would like to get access click HERE to get hooked up. I provide key articles, videos, and access to some private material in the newsletter — always written by me.


Originally published at Darrell O’Donnell, P.Eng..