Frozen: the story of the largest wallet burglary in Ethereum’s history, a massive mystery, and a tiny sliver of hope.
I’m finally telling the story of how I was granted a development endowment from the Ethereum Foundation… And how within weeks it was lost forever to a hacker who has since vanished.
Written by James Levy, founder of TapTrust.
With the November 2017 Parity contract fiasco affecting hundreds of millions of dollars worth of ether having recently occurred, there has been a new momentum in discussion around frozen funds on the Ethereum network.
As a result of this new discussion, I co-authored EIP 867, a proposal that aimed to bring some organization and standardized formatting to proposals for recovering frozen funds. This EIP was incredibly controversial and its underlying goals are discussed at more length in a separate blog post.
With the new discussion around the most significant cases of frozen funds, it seems like it is finally be the right time to tell the story of the how in 2015 I was given a development grant from the Ethereum Foundation, and how within weeks it was stolen — in the largest hacking-based theft from an External Owned Account (EOA) in the Ethereum protocol’s history.
Getting and Losing an Ethereum Foundation Grant
I first met Vitalik Buterin and started learning about Ethereum — the digital token he created — when he spent the night at my house shortly after Buterin and Gav Wood published the now-famous whitepaper.
In the coming months, I became obsessed with the potential of Ethereum and started learning everything I could about it. I integrated myself into the community and started coding with the hopes of building something not for my own personal gain, but for the benefit of the entire ecosystem.
Educating Developers about Ethereum
The project to be based around the Mintchalk project was to be called Agreemint, and was intended to make Ethereum more accessible to the average developer. The existing Mintchalk codebase was built entirely around a contract programming language called Serpent, and as 2014 progressed, it became increasingly clear that Solidity was to become the contract programming language of choice over Serpent, so there was an opportunity to rethink what the Mintchalk project was, in the form of the new Agreemint. Together with a few colleagues, I hoped to remove some of the technical hurdles impeding mainstream adoption of this world-changing new technology. I couldn’t have been more excited to be building something that I felt was desperately needed in the community.
A partnership with the Ethereum Foundation
In March of 2015 I found a message from the Ethereum Foundation in my inbox regarding their DEVGrant program.
The message began:
Tue, Mar 10, 2015 at 7:29 AM
subject: Ethereum endowment (time sensitive)
Thank you again for your contributions to the Ethereum project. As part of our arrangement you will be allotted the following amount of ether from the original endowment pool:
The Foundation was generously offering me an endowment of more than 40,000 ether to bring Agreemint to life through their Ethereum DEV program, and asked for a wallet address to deposit the funds into. In my work with Ethereum, I had already set up a number of wallets using the “genwallet” feature of a pyethtool script created by Vitalik for just this purpose — all the user had to do was enter a seed phrase, and this seed phrase returned a unique, impossible-to-guess private key.
I sent back the address of the first wallet on my list of wallets I had generated with Vitalik’s pyethtool script—a simple command-line tool that asks for a seed pass phrase to generate a public and private key. A few months later, in August, 2015, I received one more email message from the foundation saying “we are ready to send your ether allotment from the Endowment Pool.”
Over the next few months, I regularly checked the balance to see if the endowment had been sent, and each time, the wallet balance was zero. However, upon checking again one day in early January 2016, I noticed something odd — the balance was still zero, but there was a new outgoing transaction, and an earlier incoming transaction, for the amount the Ethereum Foundation specified would be sent. After some digging, I realized what had happened: on November 24 2015, the endowment was quietly sent, without a confirmation message. And just a few weeks later, in mid-December, the wallet was drained of its entire balance by an unknown party.
The grant had been sent, I realized. But it was now gone.
The address containing the grant had been drained.
When I saw the transaction that had drained the wallet, my stomach immediately sunk, and I started racking my brain for the answers. How could this be? I hadn’t moved the funds. Nobody else ever had access to the private key. I’m generally very secure with my wallets, and follow all standard practices — at a minimum — to make sure nothing like this would be an issue.
What possibly could have happened?
I decided to find out for myself, and downloaded BrainFlayer, an open source wallet cracking tool. I started it up, attempting to break into the endowment wallet — and sure enough, within a few hours, I was in. And then I realized:
I had made a huge mistake.
The very first address on my list had been a test wallet, where I had inputted an incredibly simple and easily cracked seed phrase when prompted for one with Vitalik’s pyethtool script, and then securely saved the public and private keys. Unfortunately, I was not fully aware of how the tool actually worked. Unlike other cryptographic security tools asking for a seed phrase to generate a login keypair or to use as two-factor authentication (such as the Ethereum pre-sale wallet generator), choosing a particular seed pass phrase always resulted in the same Keccak/SHA-3 derived public and private key.
To understand how this security model would be problematic, consider if Gmail only required a password to login, and logged you into the email account for the first user who had previously signed up with that password. You only would ever want to use a security model like this if your password was a completely unguessable string, and not a relatively simple password.
Unfortunately, Ethereum was still using this system when I generated my first wallet in 2014, and saved its public and private keys. Being on the cutting edge has its benefits, but in the rapidly evolving world of blockchain tech, it can also mean the seemingly minor mistakes can have huge consequences.
This insecure wallet was the first address recorded to my secured list of public/private keypairs I owned, and simply because it was first, I chose that address to send to the Foundation. Like all wallets made with the 2014-era Ethereum wallet generation script using a seed pass phrase, it was vulnerable to being hacked — especially without a very complex pass phrase.
Following the Money
Here’s where it gets a little more interesting. In the time since the January 2015 burglary that drained the ether endowment wallet, not so much as a single Wei (the smallest unit in Ethereum) has moved out of the new address holding the endowment.
In two years, the address containing the stolen funds has inexplicably had exactly zero incoming or outgoing transactions.
It has now been almost two years, and still no activity. Within seconds of a single incoming or outgoing transaction to the hacker’s address, our team and its blockchain analysis collaborators will be instantly notified. But this hasn’t happened yet. And with every day that passes and nothing happens, the probability of the stolen funds ever being accessed again decreases as well. It increasingly is looking like the funds have essentially been frozen, stuck — forever, presumably — in the thief’s wallet, which has never been accessed even once.
There are a number of reasons why the funds have never moved. It could be that whoever took the endowment is waiting for something, or that they are too scared to touch it. Maybe they are no longer able to access it for some reason, or perhaps whoever moved it doesn’t even know that they moved it.
The one thing that can be known for sure, however, is that the since being taken, the endowment funds have not been touched.
Which raises the question, what happens next?
Fixing the Unfixable
I’m going to back up, for a moment, and discuss how the nature of Ethereum affects situations like the one I found myself in. If you’re already familiar with Ethereum, you know that as with Bitcoin, its true power comes from its lack of trusted parties. Even if Vitalik or Ethereum Foundation wanted to, they can’t modify the blockchain ledger. There’s no super-user permission, by design.
The immutability of the blockchain is final — except when it isn’t.
In a small number of special circumstances the community can override immutability. When consensus forms around a proposed change to the blockchain ledger, the change can be made.
“The Ethereum project has a plan for consensus, and the public debate we see today is part of that consensus-building plan. To come to agreement is not centralization.”
Why and How We’re Recovering our Endowment
Why we are attempting to recover the stolen endowment funds
The original intention of the Ethereum Foundation endowment grant was to encourage support of the developer community, and by extension, the overall Ethereum ecosystem.
Since that time, a range of projects including MyEtherWallet, MetaMask, Consensys, zeppelinOS, and many more have starting accomplishing a lot of our original intended goals for the Ethereum Foundation grant. The landscape has changed quite a bit in three years, as have the needs of the community.
This raises the question — if we were to now recover any of the endowment, what else could it be used to fund, keeping within the spirit of open-source code and community benefit requested via the original grant?
TapTrust: Removing Risk from the Crypto Economy
Our new project, called TapTrust, is helping to reduce risk in the cryptotoken economy. More details will be announced soon.
As for how the endowment funds will be recovered, there are two options.
Option 1: A Private Settlement
The first and most preferable way to resolve this situation is to attempt communication and resolution directly with anyone who currently has access to the endowment funds. This wouldn’t be the first time that a hack would be resolved this way — a hacker who stole a similar amount of ether from investors in the CoinDash ICO returned over 30,000 of the stolen ether to CoinDash.
Here is the message in English, with versions in German, French, Russian, Spanish, and Chinese included at the bottom of this page.
On December 15, 2015, 41,234 ether that had been sent to a participant in the Ethereum Foundation DEVGrant program was stolen from address 0x1757a569de8525aa8f1990095aa5e4ec8cccdae1 and moved to address 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5.
This is a message for whoever controls address 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5:
From now until May 30 2018, we are making the following offer:
If you return at least 50% of the funds to address 0x2ba90431EfaF7877AEE212a2330235FcfcA9CbeD, we will finalize your ownership of the remaining 50% of the stolen funds.
In the event that someone takes us up on this offer to return at least half of the funds, we will categorically assume they have been a well-intentioned white-hat hacker, and we will consider the case to be closed and fully resolved.
Option 2: Recovery by Consensus
If as of January 30 2018, the private settlement has not been successful, we move onto the second option, which is to submit a frozen fund recovery proposal for an upcoming already-planned Ethereum network update to move the balance of the stolen funds to a new escrow address. This recovery would only take place once the supporting evidence has been thoroughly reviewed, and once there has been enough time with this story being public to ensure that it is unlikely that we will ever reach a private settlement with the owner of the new address.
Given the largely negative response to our initial EIP — which wasn’t even proposing a recovery, but only formatting guidelines for recovery proposals — it is somewhat likely that the community will not be able to form consensus on either our case, or any other frozen fund cases — including the funds now affected by the Parity multi-sig freeze.
However, it’s still important that we put our best attempt forward and make sure we do address the issue of frozen funds, despite the controversy. If the community is unable to recover millions of dollars worth of funds stolen from a developer grant, that should perhaps be considered to be a referendum on the overall topic of finality on the Ethereum blockchain. This lack of ability to make rare exceptions to the rule of absolute immutability may ultimately have a negative impact on the protocol’s potential for truly widespread adoption. If we are able to form consensus on the recovery of hacked — and now frozen — funds, that is likely to inspire further confidence in Ethereum as a platform that shows a willingness to help users recover from extreme catastrophes.
Distributing the recovered funds
In the event that our frozen developer grant funds are able to be recovered, a portion would be dedicated to fund our open-source TapTrust project, which is focused on improving the health of the largely Ethereum-based token ecosystem and encouraging safe mainstream adoption of tokens.
Just as we are offering to share a portion of the endowment with the current holder of the funds if they voluntarily return at least half of the funds, we are also offering to transparently distribute a portion of funds recovered via a consensus-based state change directly back to the community in some form. For example, if half of our recovery were to go towards, for example, a common insurance pool for frozen fund restitution (a proposition that has been put forth by several core developers), we’d have a principle of just over $17 million as of this writing. Of course, we’re also very open to suggestions from the community for feedback on this topic and other proposals.
Conclusion: Setting The Right Precedent
Whether a network patch includes a couple of lines of code to remedy the DAO smart contract exploit, or the Parity self-destruct bug, or a solution to our endowment theft, it’s going to be controversial. These “hard fork” remedies don’t scale and could potentially invite various problems including abuse and fraud.
Nevertheless, the ability for the community to govern itself is important. We see transparent consensus-based governance being in some ways just as important for the success of a blockchain as network performance. Just as CryptoKitties slowing down the network creates concerns among users and investors, every large unrecoverable exploit, hack, or instance of frozen funds creates similar concern among the enterprise users and Wall Street investors who to many represent the final boss in the process of mainstream adoption.
In sharing this story and our ideas with the public, we are hoping to continue the discussion regarding the role consensus has in this exciting new blockchain world. It is often said that in the blockchain “code is law”, but it’s up to us collectively determine whether that should or should not be at the expense of community consensus.
Private Settlement Message in German, French, Russian, Spanish and Chinese:
Am 15. Dezember 2015 wurden 41,234 Ether von Adresse 0x1757a569de8525aa8f1990095aa5e4ec8cccdae1 gestohlen und zu Adresse BBB transferiert. Diese (Geld-)Mittel stammten aus einem Entwickler-Stipendium der Etherum Foundation und waren für ein Projekt bestimmt welches der Gemeinschaft dient.
Diese Nachricht ist für wen auch immer, der die Adresse 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5 besitzt:
Von heute an bis zum 30. Mai 2018 bieten wir folgende Möglichkeit an: Wenn Sie mindestens 50% der Fördermittel an Adresse 0x2ba90431EfaF7877AEE212a2330235FcfcA9CbeD zurückführen, akzeptieren wir ihren Besitzanspruch auf die übrigen 50 %.
Le 15 décembre 2015, l’ether de 41,234 a été volé à l’adresse 0x1757a569de8525aa8f1990095aa5e4ec8cccdae1 et déplacé à l’adresse 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5. Ces fonds provenaient d’une subvention du développeur de la Fondation Ethereum qui a été offerte pour un projet au profit de la communauté.
Ceci est un message pour celui qui contrôle l’adresse 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5:
A partir de maintenant et jusqu’au 30 mai 2018, on vous fait l’offre suivante: si vous retournez au moins 50% des fonds à l’adresse 0x2ba90431EfaF7877AEE212a2330235FcfcA9CbeD, on finalisera votre appropriation des 50% restants des fonds volés.
15 декабря 2015 года эфир 41,234 был похищен с адреса 0x1757a569de8525aa8f1990095aa5e4ec8cccdae1 и перешел на адрес 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5. Эти средства были частью гранта фонда разработчика Эфириум (Ethereum), который был предоставлен для проекта в интересах сообщества.
Это сообщение предназначено тому, кто контролирует адрес 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5:
С настоящего момента до 30 май 2018 года мы делаем следующее предложение: если вы вернете хотя бы 50% средств на адрес 0x2ba90431EfaF7877AEE212a2330235FcfcA9CbeD, мы подтвердим ваше право собственности на оставшееся 50% похищенных средств.
Контактный адрес: firstname.lastname@example.org
El 15 de diciembre del 2015, ether del 41,234 fue robado desde la dirección 0x1757a569de8525aa8f1990095aa5e4ec8cccdae1 y trasladado a la dirección 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5.
Estas reservas provenían de un fondo de dotación de un promotor, que fue ofrecida a la Fundación Ethereum, para un proyecto que beneficia a la comunidad.
Este es un mensaje para quien controle la dirección 0x5696ae5ad2c22a4afc03bbae5bf18ca9278ae5c5:
Esta es nuestra oferta, a partir de hoy hasta el 30 de mayo del 2018: si ustedes devuelven al menos el 50% de las reservas a la dirección 0x2ba90431EfaF7877AEE212a2330235FcfcA9CbeD, daremos por finalizada la propiedad remanente del 50% de las reservas robadas.