The Parity multi-sig wallet hack debacle

The Parity multi-sig wallet hack debacle

On the 7th of November 2017, a vulnerability was discovered in multi-sig Parity wallet which allowed anyone to essentially gain administrative rights over the smart contract by becoming the owner. Someone subsequently exploited this and executed a locking function on the contract, causing the funds to be locked away forever.

The user claiming to be responsible for this hack has posted about it on social media and Github:


The affected smart contract can be viewed here on Etherscan. The total number of lost Ether is not fully known yet but numbers circulating around social media range from 300,000 to 500,000 Ether lost. This means a potential loss of up to $150,000,000 at the current value of Ether. There is absolutely no way to recover this locked Ether without a hard fork of the Ethereum blockchain.

Quick history lesson

This massive loss of Ether is affecting some large companies, including Iconomi which was storing roughly ~20% of all of it's assets in the affected contract. Thus, a lot of users are discussing the idea of a hard fork to recover the lost funds. A hard fork, for those who don't know, essentially creates a new blockchain off of the old Ethereum blockchain. This means that the old blockchain can continue to exist with the locked funds while a new one will be created where the funds are recovered.

This is the source of huge debate in all of cryptocurrency at the moment and is a controversial topic. The question really boils down to something rather simple, should be protect investors and private individuals who write flawed smart contracts which are then exploited?

This is a familiar story for Ethereum unfortunately. In 2016, another smart contract known as The DAO was hacked and a far more significant number of Ether was not locked, but stolen by a malicious attacker. This hack caused the Ethereum Foundation, the team behind Ethereum to hardfork and recover the funds. Many people were opposed to this (including me), comparing it to the equivalent of bailing out the banks.

Ethereum actually allowed people to "vote" on whether or not to support this fork, however, "yes" was selected by default in the background and you had to run the Ethereum client with a special command to vote "no" on the fork, hardly a fair voting system. Imagine living in a country where your vote is automatically yes to whatever the government says unless you specifically participate and vote no.

Why we shouldn't bail out Parity

Saving investors from massive losses may sound like a good idea, however there is one major issue. Ethereum's smart contracts are supposed to be immutable, that is essentially the whole point of a smart contract, is that nobody can change it once it has been written and deployed. What would be the point of agreeing to a contract if it can be changed without your agreement?

Furthermore, where do we draw the line and who decides on who gets a bailout and who doesn't? Does the small company which made a fatal mistake in their contract and face bankruptcy get a bailout or is it only companies with significant levels of capital? Are some too big to fail? Clearly, they already are. Nobody believes for a second that if they, as a small individual/business write a flawed smart contract will get an entire hardfork dedicated to retrieving their lost funds.

The fault lies entirely with the entity that wrote the flawed smart contract and is not a flaw with the Ethereum blockchain, so why should the Ethereum Foundation get involved in these private matters? It also raises much more serious concerns.

One can imagine a scenario in which two large companies agree on a smart contract, except one of the companies does something that is coded into the smart contract that the other company doesn't agree with and wasn't aware of. This causes the company to lose all of their capital and go bankrupt. If a significant amount of Ether is involved in this hypotethical scenario, do we bail them out too? If not, why are we drawing the line there?

In conclusion

That is essentially the debate, it's that simple. I'm a huge fan of Ethereum but if they choose to hardfork again or even include a fix for the contract in one of their future existing planned hardforks, I'll start to lose faith in Ethereum as a concept. This doesn't mean that I'll sell all my Ether and never invest in any Ethereum-based tokens again, as I'm a pragmatist and don't believe that this will necessarily cause Ethereum or the tokens existing on its blockchain to lose value. I will simply lose faith in the concept of the smart contracts on Ethereum's blockchains being truly immutable or trustworthy, as who knows whether or not you or your company will qualify for special treatment on behalf of the Ethereum Foundation.