Nearly 600 users of the Parity Hardware Wallet lost access to their ETH tokens when an unknown hacker exploited a vulnerability in the company’s code on November 6th. In a recently released Post Mortem detailing the exploitation and the subsequent steps that Parity has taken, the company acknowledged that the team knew about the vulnerability well before the exploitation occurred.
According to the Post Mortem, a Github contributor suggested the change that would have prevented this freeze from happening. Preceding the incident, the initWallet code (the code in question) was considered to be a mere “convenience enhancement.” While the Parity team decided that it would indeed adopt the suggested changes to make the initWallet code less vulnerable, it decided to wait to include them as part of a “regular update at a future point in time.”
Parity also acknowledged that the freeze could have been avoided if the “contract code had not included the functionality to suicide or kill.”
What Happened: An Unknown User Exploited Library Contract Vulnerability
The trouble began on November 6th, when an unknown user exploited a vulnerability in the Parity wallet code. InitWallet was a library function for Parity’s multi-signature hardware wallets. The unknown user “suicided” the code, which ultimately resulted in the freezing of some 513,774.16 ETH as well as “additional tokens”.
The user allegedly behind the attacks posted the words “anyone can kill your contract” under the username ‘devopps199’, followed by “I accidentally killed it.” The user took advantage of the vulnerability in the code by making himself the “owner” of the library contract before destroying it. The user did not gain access to any of the ETH that were blocked by his attack.
Blockchain Key Players to Gather in Bloconomic Expo 2019Go to article >>
Steps to Recovery: The Path is Unclear
It is unclear how or when Parity will be able to recover access to the 587 users who were affected by the hack. However, the company stated that they are “working hard on several Ethereum Improvement Proposals” (EIPs) that could potentially unblock the funds.
Further, Parity has made the decision to remove “the ability to deploy multi-sig wallets until we feel we have the correct security and operations procedures in place so that we can be confident this will not happen again,” although Parity’s UI will still be compatible with previously deployed multi-sig wallets that have been “deemed secure,” including Gnosis and WHG.
Parity is also in the process of “commissioning another full-stack external security audit.” While Parity’s pre-hack ‘Foundation’ multi-signature wallet code had been audited by Parity Technologies itself, the Ethereum Foundation’s DEV team, as well as others, regular full-stack external audits had only been commissioned for the smart contracts that were written by Parity.
Among other things, the company has also taken steps to incentivize free-wheeling auditors to find and report bugs in the Parity code, and will develop an internal team who will be dedicated to “operational security.”
As cryptocurrency continues to become an increasingly normal part of financial technology and its user base continues to expand, wallet security becomes an increasingly important concern. While no hacker made off with some thousands or millions of dollars in this case, hundreds of people have been affected nonetheless. We can only hope that this issue is resolved sooner rather than later.