Has Ethereum been hacked?Tuesday, November 14, 2017
A massive £131 million in crypto has been frozen - but was it an attack?
The crypto community is divided once again, and this time it’s not over a code fork - but a financially devastating potential attack. A vast sum of Ethereum, one of the top three blockchain cryptocurrencies by any measure, has been locked in business owners wallets by the incident, and unsurprisingly the victims are becoming increasingly vocal.
A user known as ‘devops 199’ on GitHub discovered a vulnerability in the popular Parity Wallet library contract of the standard multi-sig contract, which allowed ‘devops 199’ to become the owner of the contract. However, the user’s next move was to ‘suicide’ the smart contract underlying the multi-sig wallet, which deleted the code libraries governing it. The result is that multi-sig Parity wallets created after 20 July were frozen - blocking funds of of 587 wallets with a total amount of 513,774.16 Ether - approximately £131 million.
Arguably, the incident has mainly affected Ethereum holders with a desire for increased security, in the shape of multi-signature wallets, often startups and other businesses with crypto holdings, such as enterprises which have recently completed an ICO (initial coin offering) for example.
One such company, Cappasity, a AR/VR/3D content exchange platform startup currently running an ICO for the ARToken (AR) believes the incident was in fact a malicious attack.
“Our internal investigation has demonstrated that the actions on the part of devops199 were deliberate”, said the company in a statement.
Cappasity detailed a series of probing actions it claims the attacker conducted in the run-up to the incident, summarising: “Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking. We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step.”
Ilia Kolochenko, CEO, High-Tech Bridge said that relying on law enforcement in these types of situations can be fruitless: “People start feeling uncertainty, doubt and fear in the digital space. Even in developed countries, law enforcement agencies face paucity of financing, lack of competent personnel, reluctant international investigatory cooperation and skyrocketing number of cybercrime incidents. Thus, investigation of the overwhelming majority of digital crimes becomes virtually impossible. Crypto currencies and modern anonymization techniques, can effectively preclude almost any technical investigation by private companies with the necessary resources.”
Jutta Steiner, Founder of Parity Technologies expressed regret at the incident, and called for calm: “We do ask that people get in touch with us if they have any uncertainties and to not believe the speculation circulating the media. We are endeavouring to find a solution as soon as possible. While it is too early to decide on a fixed solution, EIP156 has been discussed for a significant time and has drawn support from various directions in the community. The team is working on a broadly accepted solution that will unblock the funds.”
Parity says it will issue a detailed postmortem imminently.
The mentioned EIP156 is a proposal dating from 2016 from Ethereum creator Vitalik Buterin, designed to free up money locked in certain types of contracts. Another solution is a network-wide ‘hard fork’, possibly part of the "Constantinople" network upgraded planned for 2018, although this last resort has been controversial in the past. In the summer of 2016 Ethereum-based funding vehicle The DAO collapsed due to a vulnerability that was exploited to withdraw a large sum of Ethereum. In The DAO instance, the attacker claimed that exploiting the vulnerability was a legitimate strategy, and attempted to claim the funds anyway.
Although the Parity wallet incident differs from The DAO attack in that the funds are frozen, rather than being stolen, the incident will once again set precedents for dealing with smart contract issues and vulnerabilities...