A Post Mortem 💀 On The $180m Parity Ethereum MultiSig Self Destruct 💥 (ICO affected)


Story - A Post Mortem On The Parity MultiSig Self Destruct [red highlight] Now if you have never studied software engineering let me point out that this is a perfectly common practice. The phrase, don’t re-invent the wheel applies when developing software just as it does anywhere else. The classic example I’d give for this is a calendar system. Once someone has written the software code that creates a 12 month structure with the correct number of days in each month and accounts for leap years etc, what’s the point in someone re-writing that from scratch? There isn’t. So when I write say an address book app I can just import this library of code and get calendar functionality in an instant. That practice is perfectly common, however the downside is that if there is a flaw in that shared component. Second thing to point out is that this self destruct function is also a perfectly legitimate feature which is used when you want to retire old versions of smart contracts on the Ethereum blockchain. EtherDelta have done this periodically when upgrading their systems. It’s why they make sure they remind everyone to transfer any Ether they left in the old contract to the new one. So back to Parity then. I mentioned this in the last video when I covered this story but I’ll say it again just to be clear, this problem specifically affects multi-sig wallets created with Parity. It is highly unlikely that the average user will have any funds in one of the 587 affected wallets. These wallets more likely belong to ICOs and Ethereum based apps. I believe ICONOMI have some of their Ether locked inside one of these wallets. Anyway one random dude came along and managed to make themselves the owner of one of these shared library components that 587 multi-sig wallets depended on for some of their functionality. This guy was then able to self destruct the shared library and thereby cause all 587 wallets that were using that code to be affected. [orange] Parity say here that the total amount of Ether now stuck in these wallets is 513,774 or about $180m at todays price. This money is stuck because the code that would allow you to withdraw the Ether from these smart contracts has been deleted by this self destruct function. [yellow] [green] [cyan] So it’s clear that this bug crept in when Parity made their modifications and they are tactfully saying as much here. But why didn’t anyone spot this you may ask? Someone did. [purple] [gray] They specifically say they interpreted this as an enhancement which is why they saw no rush to deploy it. However someone was able to initialise the contract themselves, make themselves the owner and then self destruct the contract. [red] In terms of a remedy they have put forward some exchanges to the Ethereum protocol that would potentially allow the funds to be unlocked, however this isn’t a quick process. So until further notice that 513,000 Ether is stuck. Potentially forever. And in a perfect segway into a highly relevant project, I have a mild apology to issue. Story - An Apology I released a video on Friday highlighting the two ICOs I was currently looking at contributing to. I called that video ICOs picks for December 2017 because even though the Quanstamp ICO started in November, it was to run for 30 days through to mid December. The Quantstamp ICO opened on Friday the 17th of November a 2 PM London time. https://twitter.com/Quantstamp/status/932157945395027968 Less than 48 hours later at 8.05 AM on Sunday the 19th of November Quantstamp Tweeted an announcement that the crowdsale was over. https://token.quantstamp.com/crowdsale/?v=4 They sold out in 2 days raising 87,000 Ether which is approximately $30m at today’s price. In fact, the original goal was 100,000 Ether, but they decided to reduce that to 87,000 towards the end and burn the excess tokens to reflect the increasing price of Ether. That says a lot about the team and their character and I will endeavour of highlight these kinds of projects earlier than I did this time. Although I did not expect it to sell out so quickly, or for them to lower the hard cap By Photo courtesy of National Nuclear Security Administration / Nevada Site Office [Public domain], via Wikimedia Commons