New Parity hack shifts the attitude towards Ethereum. Is it necessary to create Ethereum Safe (ETS)?
Today, I would like to talk about the community, how it is formed, and its stages of development. This topic is especially relevant in connection with the stormy public reaction to the recent hacking attack on wallets based on smart contracts by Parity Technologies, and Ethereum Foundation and Parity Technologies’ attitude toward this incident.
What is Ethereum? At first it may seem to just be a cryptocurrency that sometimes costs $270 and tends to approach $350. However, it is not just that. First of all, Ethereum is an ecosystem, which is expanding based on its participants’ faith in how the Ethereum Foundation implements its further development. Exchange rates of cryptocurrencies depend largely on how much trust the users demonstrate towards them. But what happens if this ecosystem’s participants lose faith in the competence of the Ethereum Foundation?
In this post, there will be more questions than answers. Through this message, I would like to awaken public discussion and draw the public’s attention to the details that most close their eyes to.
What has the recent situation with another hack of Parity wallet demonstrated?
- Coding and code audit
There is a big difference between commercial software development and open-source software development. Usually, the latter is not professionally tested. Constant corrections and a large number of errors are considered to be the norm, and we deem this situation as normal when it concerns developing regular applications. However, when company X develops a software product designed to deal with transactions that may be connected with money transfer, the software developers should approach testing this type of software product with a completely different level of responsibility.
Responsibility is a fundamental piece of the ecosystem, and is at its’ core. What will happen to the ecosystem if all its participants play fast and loose with those who use their products? 30 million US dollars lost yesterday. $300 million disappeared today. Will it be $1 billion tomorrow?
Smart contracts should be audited — this is the norm in the blockchain community. It seems strange when audit is neglected. Parity Technologies’ co-founder Gavin Wood is also a co-founder of Ethereum. It turns out that his company was unable to prevent a second hacking attack on the Parity wallet and provide security to their own ICO, which lost about $90 million.
It’s worth mentioning that the hacking attack followed 5 months after another incident that had taken place in July 2017. It has been 5 months since the last hack, but the company still hasn’t audited the smart contract. That’s what they posted in their blog on November 15.
According to Motherboard, the digital wallet company knew about the critical flaw since August and did not address it for months, until it was too late — leading to the loss of $150 million in ETH. Members of the community share this point of view. A serious question arises: why did Parity Technologies not carry out a formal audit after the first hack? Why are they being so irresponsible?
2. Attitude towards responsibility
The responsibility that must be taken on by developers, is sidestepped by saying that the industry is still nascent. They might be sticking to this stance for a very long time, and can go on forever. What is the Ethereum Foundation’s opinion on this situation?
After the incident, the co-founder of Ethereum Vitalik Buterin immediately distanced himself from solving the problem:
At the same time, Vitalik Buterin allows himself public reasoning on other topics, which would (and did) cause a public outcry.
This irresponsible attitude of Buterin is also noticed by other community members. For instance, the same topic is discussed by Bitcoin/Urbit maximalist Kevin Pham on Twitter:
As a result of this irresponsible attitude, it seems that the industry lacks competent experts, among both its software developers and managers. Many of them have lost touch with reality and live in a virtual world.
However, I would like to emphasize that the virtual world exists within the real one, and the latter is represented by the world’s countries and their governments. If ecosystem participants do not find a way to mature and take responsibility for their actions, they will face pressure from regulators and it will be the regulators who will be auditing smart contracts.
3. Hiding the hack
From the very beginning, parties involved in the incident have been wanting to smooth out the situation by passing a hack off as an accident.
On November 8, Parity Technologies’ representatives announced that the incident was an accident. On November 13, they posted an appeal to urge the community not to believe in the speculation about the hacker attack circling in the media and assure that they were doing everything possible to unfreeze the funds. However, why are they calling it a speculation, when there is evidence proving that the actions of devops199 were intentional?
New facts proving that this user was not a newbie coder appeared on Medium:
Here is the evidence:
Thus, a serious question arises: Why does Parity Technologies avoid publicly declaring that they have been hacked twice? Maybe the reason is that they did not bother to conduct a formal audit after the first hack took place…
It has been over a week now, and Parity Technologies still hasn’t put forward any constructive plan on resolving the situation. Since the company has been sitting on the fence about unfreezing the money for so long, many of us are falling under the impression that the company wants to hush the incident up and not return the lost funds to the victims.
On November 15, Parity Technologies posted the following in their blog, referring to taking measures to resolve the situation and return money to the victims: “There is no timeline for when such an improvement proposal could be implemented; we will follow the will of the community and go through the regular EIP process like any other protocol improvement.”
What do they mean by “the will of the community”? We have not found any discussions or polls concerning this issue on the Internet.
Moreover, not all of the community’s members are ready to support the public stance of Parity Technologies, who wish to pass a hack, which resulted in the financial problems for 573 users, off as an accident.
Here is our dialog with Parity Technologies:
Currently, funds are not available on 584 wallets. According to approximate estimates, they amount to about $300 million. However, the exact amount remains unknown.
Only Parity Technologies has access to the wallet database and therefore only they can announce the exact amount of money frozen. But they are keeping quiet and simply suggest that the victims should wait for an indefinite period of time because they are in no hurry to solve this problem at all!
In light of the above facts, I believe that now the future of the Ethereum network depends solely on us. Here is why.
Imagine what will happen if we are not provided with a reasonable solution in the coming days. The reasonable solution is the one that can be implemented in December and will help unfreeze $300 million.
I sincerely regret that Parity Technologies found themselves in this kind of situation, I really liked their software.
However, how many companies will risk using it if Parity Technologies is unable to provide the victims with a solution to unfreeze their money? Trust in most of their products that are being developed will vanish. If the team of developers is constantly making mistakes, and this results in the loss of large amounts of money, then the company’s name will raise negative connotations.
I do not want this to happen since a situation of this kind can undermine the general credibility towards the development of software products for the Ethereum network.
Smart contracts are the foundation of the Ethereum network. The current situation has demonstrated how risky it is to fully rely on smart contracts. No one can guarantee that they will work just as users need and expect them to. Therefore, it is necessary to provide a protocol that will regulate the solution of such problems.
Perhaps, the Ethereum Foundation should consider implementation of accredited auditors? You will object to me by saying that this measure will be a big step towards centralization. However, any ecosystem is reminiscent of a startup in the beginning, and then later turns into a mature company. Sticking to the opinion “not my circus, not my monkeys” is not the same as decentralization. The ecosystem must evolve, and therefore the following question arises: to what extent is the current management of the Ethereum Foundation ready for this to happen?
Regulation of the crypto industry is inevitable, and in the first place it will be imposed on the network in which people lose large amounts of money, whose software allows these sums to be lost, and where this problem occurs regularly. Why am I writing this if I invest in ETH? When investing in Ethereum, in return I expect stability and growth of the ecosystem.
If nothing changes, another fork, called Ethereum Safe (ETS), will be created. The latter will be traded at a higher price than ETH, since it will be the choice of those who consider security to be of significant importance.
We are running the Cappasity ICO, and tens of thousands of people have already expressed their trust in us and became participants of the Cappasity Ecosystem. We take care of our community and will release Cappasity Tokens on time. We, as members of the Ethereum ecosystem, look forward to a similar attitude toward us from the Ethereum Foundation and Parity Technologies. I want to believe that the scenario described above will not become a reality.
Kosta Popov, Cappasity CEO
P.S. If your Parity wallet has been affected by the hack, contact us at email@example.com. We will share with you the steps that we are going to take, if Parity Technologies does not give us an answer about the solution for the situation within a reasonable time.