Another massive Ethereum catastrophe

Last year I wrote about the massive DAO failure. Today the Ethereum community witnessed another unfortunate flaw. I hopped on the Parity Gitter right as this was happening (for an unrelated reason) and experienced the drama in real-time.

Developers had discovered something wrong but they didn’t know the extent. A little later devops199 hops in…

Rather calm considering…

What seems to have happened is that someone was learning about the blockchain and deleted a shared library that was used by Parity’s Multi-Sig Wallet. Multi-Sig Wallets are Ethereum contracts and are designed to have extra security features. They can allow for multiple passwords (from different people) and withdraw limits. By deleting this library devops199 locked up well over $100 million in Ether. Most of which probably belong to ICO projects. devops199 went on to prove that he has the private key that caused the disaster.

gregrebholz provides a better technical understanding of what happened:

gregrebholz @gregrebholz 10:12
Parity’s “multi-signature wallet” (designed for shared ownership) can be deployed by anyone, and relies on the already deployed “wallet library” that is the subject of today’s dumpster fire. The wallet library has the “make a new wallet” function in it. devops199 called that function directly, instead of from a new wallet. The library turned itself into a wallet with devops199 as the owner. The owner of a wallet can “suicide” the wallet, which is what he did next.

How could this be an accident?

For what it’s worth I believe devops199 wasn’t malicious. He wasn’t able to steal any funds, just lock them up. It is conceivable that he deleted this by accident. If he actually knew he could have locked up the funds, he could have worked with Ethereum core developers or fund owners and become a hero.

What happens now?

Last time $150 million was at risk due to bugs in smart contracts, the Ethereum community executed a hard fork. A debate resulted in a split that created Ethereum Classic. It looks to me like another hard fork is the only way to unlock the funds.

Who’s fault was this?

Ethereum is going to continue to run into drama like this. Ethereum is like a society with no insurance companies, no judges that are able to reason about the intent of contracts and a fast development pace. It’s a misconception that there is some kind of army of developers reviewing all this code. First, there aren’t very many Ethereum developers. Second, most of them are creating things, not reviewing contracts.

The Ethereum blockchain is the responsibility of the users. This wasn’t devops199 fault. I see no evidence that he did this on purpose. It wasn’t Parity’s fault either. They make free and open code to be used by choice. I hope we can work together to improve and resolve it without pointing figures.