Damage from vulnerability in the Parity Wallet and its consequences

As a result of the accidental use of a previously unknown vulnerability in the source code of the Parity Ethereum Wallet this Monday were "frozen", and actually lost funds in the accounts of many customers and projects. Save them, can only hardfork, similar to the project  of TheDAO tokens rescue in July 2016. In the company Parity Technologies responded to outrage of the public and the experience of customers only on Wednesday - 2 days after the blocking of funds in the blog officially confirmed the existence of a critical security threat: "Unfortunately, the code found a new vulnerability, which made it possible to transform the Parity Wallet contract into an ordinary multi-signature wallet, and to change its owner using the initWallet function call. This vulnerable code appeared in the software after its update as a result of the July 19 events. "

By correcting one vulnerability, the developers of Parity created another, no less dangerous, which makes them seriously question about their qualification.

Also, a special website is launched where users can check if their funds are blocked by specifying their address in the form of a request for the Ethereum Wallet. The site has statistics, from which it can be seen that as of November 9, 573 victims were registered. In total, the error has affected 584 electronic wallets.

Opinions of industry representatives:

Vitalik Buterin  @VitalikButerin

"I am deliberately refraining from comment on wallet issues, except to express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones."

Parity Technologies @ParityTech

"Update: To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative."

Damage assessment and affected start-ups

Judging by the list of addresses of blocked Wallets that appeared on Thursday in Gitter-Chat Parity, more than 900 000 ETH were blocked at the current exchange rate of about $ 280 mln. Some of these funds were collected during the crowedfunding campaigns (ICO). 

Here are just some of the affected projects:

Polkadot, ~ 306 276 ETH, address 0x3bfc20f0b9afcace800d73d2191166ff16540258

Iconomi, 114,939 ETH, address 0x376c3e5547c68bc26240d8dcc6729fff665a4448

Musiconomi, ~ 16 475 ETH, address 0xc7cd9d874f93f2409f39a95987b3e3c738313925

 It turns out that only the three largest projects lost almost 440 000 ETH, that is, almost 150 million dollars at the current rate! Even more piquancy of the situation is attached to the fact that they suffered these losses not even as a result of a hacker attack, but because of the random actions of a person who decided to practice in operations with smart contracts.

The largest project with blocked funds was the startup Polkadot, whose team is developing a protocol for exchanging information between independent blockers. The company has already commented on what happened:

"Although access to some assets was lost due to a vulnerability in Parity software, this purse contained only a portion of the Web3 Foundation's funds. Therefore, the Polkadot team will continue to work on the project according to the previously approved plan without changes. "

On this news, the Ethereum rate briefly dropped by $ 20, but by the evening of November 9, it returned to the position and rose to $ 330 per 1 ETH. The official statements or announcements about the solution of the problem with smart contracts from the company Parity has not yet followed. Developers now only analyze the situation; however, as it was already noticed earlier by Martin Swende, without hardfork it will be difficult to manage.

Given Vitalik Buterin's rather cool position, it will not be easy to achieve the second "saving" hardfare, even if included in the release of Constantinople, which will probably take place in the first months of 2018. The previous hardcore, undertaken to return funds, led to the fusion of Ethereum Classic, something similar can happen this time. In addition, the reputational costs are unnecessary for the Fund of the Etherium.