In the wake of one of ethereum’s largest-ever security exploits – if not the largest – the technology’s community is showing signs of possible crisis.
After “accidentally” hitting a vulnerable patch of code, a developer froze the money in all Parity multi-signature wallets deployed after July 20. Users of these wallets can no longer use the ether, totaling at least $150 million dollars by some estimates.
But, the details are still fuzzy.
For now, perhaps the closest thing to an official estimate of how much funds were lost comes from a loose group of computer science researchers who found that at least $154 million was lost due to the bug. They were able to obtain the number by looking at the contract that created the mess, then scanning the ethereum blockchain for similar smart contracts, University College London research associate Patrick McCorry told CoinDesk.
In dollar terms, that’s about three times the size of The DAO hack, an incident seen as perhaps the darkest event in ethereum’s history.
Though the exploit doesn’t affect ethereum as a whole, some in the community are worried the consequences will be far-reaching nonetheless.
Vulcanize engineer Rick Dudley told CoinDesk:
“My thoughts are we should seriously consider as a community what the limit of our forgiveness is. At what point do we have to start ostracizing people for security failures?”
He went on to call this an “existential risk” for the smart contract platform.
Careless smart contracts
Still, ethereum developers are quick to point out that this is a problem with the smart contract code built on top of ethereum, not with ethereum itself.
“It emphasizes what we already knew, that writing smart contracts is hard and that we’re still learning best practices and the chance to introduce bugs is still present,” said FunFair founder and CEO Jez San Obe.
There’s a danger to blockchain’s “unstoppable” code. While this property might ultimately improve a range of applications – from tracking food supply to social media platforms – the bugs are unstoppable, too, as has been demonstrated in expensive bug after expensive bug in code running on top of the blockchain.
Ethereum developers and researchers have advanced ethereum’s security on many fronts, with the goal of preventing events like The DAO from happening again. But perhaps the research is still too early stage to breed banking-grade security.
Others criticize the Parity team, since this vulnerability follows not long after another bug in their software, leading to a $30 million hack in July.
“The situation certainly doesn’t inspire hope for their next update to patch this vulnerability,” said Eximchain CEO and co-founder Hope Liu.
Despite claims to the contrary, Parity maintains that it did have the code audited before deploying it. ZK Labs audited some of Parity’s code in October.
“We follow very high standards in our development, [including] peer reviews. There is also a bug bounty program to incentives testing by the community,” a Parity spokesperson told CoinDesk in an email.
Problem with ethereum?
Others disagree that it’s a problem with the specific smart contract, however. Namely, the event gives ammo to long-standing critics of ethereum, who argue that the exploit demonstrates a fundamental problem with ethereum itself.
Litecoin creator Charlie Lee called ethereum a “hacker’s paradise” in conversation with CoinDesk.
“The Solidity language for writing ethereum contracts is one of the worst languages to use if you want to write bug-free code,” said Lee.
A long-standing critic of the way ethereum is designed, he added that it shouldn’t have been possible for the pseudonymous developer to touch other people’s money by doing what he or she did.
“[It’s] all sorts of facepalm,” he added.
Bitcoin Core contributor Johnson Lau called ethereum’s smart contracts, “dumb contracts,” reflecting a view that the platform is not completely secure.
Others argue it’s more of a question of moral hazard. After The DAO was hacked last year, ethereum developers executed a controversial change to return the funds to their rightful owners.
Others suspect that eventually, people will go to court over these sorts of exploits.
“It seems inevitable that these highs stakes will lead to court cases and ultimately result in states holding blockchain software developers – of all types – to equivalent standards with private companies in the legacy financial system,” said blockchain consultant Ciaran Murray.
Hard fork on the way?
So, is there a way to unfreeze these funds?
A so-called “hard fork” is one way to return funds to users. However, setting back the blockchain (and rewriting its distributed ledger) is a controversial method of making an upgrade. Last time ethereum developers executed one, the blockchain split into two competing networks. And, already, some users “refuse” to go along with such a change.
Localethereum published an informal Twitter poll asking “Should ethereum fork again?” with responses split roughly 50/50 so far.
Nonetheless, some think that a hard fork will be the likely recourse. Lau told CoinDesk that he “expects” ethereum will fix it with a hard fork.
“I wish [Parity] the best of luck in their hard fork petition or whatever,” Vulcanize’s Dudley said. “I really feel deeply sorry for the people who lost funds in this process, I hope none of them are killed over this.”
On the other hand, the company hasn’t said what recourse they will take. “It’s too early to decide on solutions,” Parity told CoinDesk.
Plus, others are still optimistic that ethereum developers will be able to find another workaround to rescue the funds.
Obe told CoinDesk:
“It’s too early to know if the expert white hat hackers will figure this out and find a short cut to repairing the damage and restoring the frozen funds. Don’t write off these geniuses figuring out how to unfreeze [the funds].”
Burning chip image via Shutterstock