Parity Ethereum Frozen: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/parityethereumfrozen.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/parityethereumfrozen.php}} | ||
{{Unattributed | {{Unattributed Sources}} | ||
[[File:Parity.jpg|thumb|Parity]]Parity created a complex multi-signature smart contract which had a public function enabling anyone to take claim over a wallet. | [[File:Parity.jpg|thumb|Parity]]Parity created a complex multi-signature smart contract which had a public function enabling anyone to take claim over a wallet. | ||
| Line 12: | Line 12: | ||
There is presently no strategy or timeline on unlocking the funds. Such would require a fork of the ethereum blockchain. | There is presently no strategy or timeline on unlocking the funds. Such would require a fork of the ethereum blockchain. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="cnbc-1891" /><ref name="stonecoldpat0twitter-1892" /><ref name="googledoc-1893" /><ref name="comaeblogarchive-1894" /><ref name="dguidotwitter-1895" /><ref name="openethereumgithub-1879" /><ref name="paritytechtwitter-1896" /><ref name="programmersought-1880" /><ref name="cointelegraph-1889" /><ref name="paritytechtwitter-1897" /><ref name="parity-1898" /><ref name="parity-2051" /><ref name="openzeppelinforum-1155" /><ref name="parity-2052" /> | ||
<ref name="cnbc-1891" /><ref name="stonecoldpat0twitter-1892" /><ref name="googledoc-1893" /><ref name="comaeblogarchive-1894" /><ref name="dguidotwitter-1895" /><ref name="openethereumgithub-1879" /><ref name="paritytechtwitter-1896" /><ref name="programmersought-1880" /><ref name="cointelegraph-1889" /><ref name="paritytechtwitter-1897" /><ref name="parity-1898" /><ref name="parity-2051" /><ref name="openzeppelinforum-1155" /><ref name="parity-2052" /> | |||
== About Parity == | == About Parity == | ||
| Line 85: | Line 84: | ||
!Description | !Description | ||
|- | |- | ||
|November 6th, 2017 | |November 6th, 2017 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 112: | Line 111: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
One of the key features that a successful multi-sig needs is simplicity, such that security can be certain. Having complexity on a multi-sig defeats the purpose. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
<references><ref name="cnbc-1891">[https://www.cnbc.com/2017/11/08/accidental-bug-may-have-frozen-280-worth-of-ether-on-parity-wallet.html 'Accidental' bug froze $280 million worth of ether in Parity wallet] (Jul | <references><ref name="cnbc-1891">[https://www.cnbc.com/2017/11/08/accidental-bug-may-have-frozen-280-worth-of-ether-on-parity-wallet.html 'Accidental' bug froze $280 million worth of ether in Parity wallet] (Jul 27, 2021)</ref> | ||
<ref name="stonecoldpat0twitter-1892">[https://twitter.com/stonecoldpat0/status/927885515407454209 @stonecoldpat0 Twitter] (Jul | <ref name="stonecoldpat0twitter-1892">[https://twitter.com/stonecoldpat0/status/927885515407454209 @stonecoldpat0 Twitter] (Jul 27, 2021)</ref> | ||
<ref name="googledoc-1893">[https://docs.google.com/spreadsheets/d/18dUFWIk84dmJngBoZG8BBk6S_P2MIzKcUB5LMdUY1Kg/ Parity Hack - 513k Ether ($154m) - Google Sheets] (Jul | <ref name="googledoc-1893">[https://docs.google.com/spreadsheets/d/18dUFWIk84dmJngBoZG8BBk6S_P2MIzKcUB5LMdUY1Kg/ Parity Hack - 513k Ether ($154m) - Google Sheets] (Jul 27, 2021)</ref> | ||
<ref name="comaeblogarchive-1894">[https://web.archive.org/web/20171107203130/https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513 The $280M Ethereum bug. – Comae Technologies] (Jul | <ref name="comaeblogarchive-1894">[https://web.archive.org/web/20171107203130/https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513 The $280M Ethereum bug. – Comae Technologies] (Jul 27, 2021)</ref> | ||
<ref name="dguidotwitter-1895">[https://twitter.com/dguido/status/927896527107952640 @dguido Twitter] (Jul | <ref name="dguidotwitter-1895">[https://twitter.com/dguido/status/927896527107952640 @dguido Twitter] (Jul 27, 2021)</ref> | ||
<ref name="openethereumgithub-1879">[https://github.com/openethereum/parity-ethereum/commit/6b0e4f9098be6b841353e7c4f116aa86b7c2e3d6#diff-8ea4aa7c2ba715c683bc764337f51585 update wallet library modifiers · openethereum/parity-ethereum@6b0e4f9 · GitHub] (Jul | <ref name="openethereumgithub-1879">[https://github.com/openethereum/parity-ethereum/commit/6b0e4f9098be6b841353e7c4f116aa86b7c2e3d6#diff-8ea4aa7c2ba715c683bc764337f51585 update wallet library modifiers · openethereum/parity-ethereum@6b0e4f9 · GitHub] (Jul 27, 2021)</ref> | ||
<ref name="paritytechtwitter-1896">[https://twitter.com/ParityTech/status/927887949219487744 @ParityTech Twitter] (Jul | <ref name="paritytechtwitter-1896">[https://twitter.com/ParityTech/status/927887949219487744 @ParityTech Twitter] (Jul 27, 2021)</ref> | ||
<ref name="programmersought-1880">[https://www.programmersought.com/article/57424019607/ "I Learn Blockchain"-XII. Ethereum Security Parity First Security Incident Vulnerability Analysis - Programmer Sought] (Jul | <ref name="programmersought-1880">[https://www.programmersought.com/article/57424019607/ "I Learn Blockchain"-XII. Ethereum Security Parity First Security Incident Vulnerability Analysis - Programmer Sought] (Jul 27, 2021)</ref> | ||
<ref name="cointelegraph-1889">[https://cointelegraph.com/news/parity-multisig-wallet-hacked-or-how-come Parity Multisig Wallet Hacked, or How Come?] (Jul | <ref name="cointelegraph-1889">[https://cointelegraph.com/news/parity-multisig-wallet-hacked-or-how-come Parity Multisig Wallet Hacked, or How Come?] (Jul 27, 2021)</ref> | ||
<ref name="paritytechtwitter-1897">[https://twitter.com/ParityTech/status/927850992145719296 @ParityTech Twitter] (Jul | <ref name="paritytechtwitter-1897">[https://twitter.com/ParityTech/status/927850992145719296 @ParityTech Twitter] (Jul 27, 2021)</ref> | ||
<ref name="parity-1898">[https://www.parity.io/blog/a-postmortem-on-the-parity-multi-sig-library-self-destruct/ Twitter icon] (Jul | <ref name="parity-1898">[https://www.parity.io/blog/a-postmortem-on-the-parity-multi-sig-library-self-destruct/ Twitter icon] (Jul 27, 2021)</ref> | ||
<ref name="parity-2051">[https://www.parity.io/security-alert-2/ Twitter icon] (Jun | <ref name="parity-2051">[https://www.parity.io/security-alert-2/ Twitter icon] (Jun 23, 2021)</ref> | ||
<ref name="openzeppelinforum-1155">[https://forum.openzeppelin.com/t/list-of-ethereum-smart-contracts-post-mortems/1191 List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community] (Jun | <ref name="openzeppelinforum-1155">[https://forum.openzeppelin.com/t/list-of-ethereum-smart-contracts-post-mortems/1191 List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community] (Jun 23, 2021)</ref> | ||
<ref name="parity-2052">[https://www.parity.io/a-postmortem-on-the-parity-multi-sig-library-self-destruct/ A Postmortem on the Parity Multi-Sig Library Self-Destruct | Parity Technologies] (Jun | <ref name="parity-2052">[https://www.parity.io/a-postmortem-on-the-parity-multi-sig-library-self-destruct/ A Postmortem on the Parity Multi-Sig Library Self-Destruct | Parity Technologies] (Jun 23, 2021)</ref></references> | ||
Revision as of 10:31, 14 April 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Parity created a complex multi-signature smart contract which had a public function enabling anyone to take claim over a wallet.
Because of the complexity, this was hidden in another part of the contract which was not easy to find. Parity had no formal audit, nor bug bounty program running.
Eventually, a hacker found the function and used it to commandeer funds of multiple projects. Parity, in response released a modified version of the contract.
This version had an exploit which enabled all funds to be locked, so no one could use them. This function was then used, which locked up significant funds.
There is presently no strategy or timeline on unlocking the funds. Such would require a fork of the ethereum blockchain.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About Parity
"Several years ago Gavin Wood, Ethereum cofounder and CTO established EthCore, a non-profit organization that develops software for Ethereum infrastructure, which later changed its name to Parity Technologies. One of its products is Parity, an Ethereum client that provides a web interface for the underlying Ethereum node software. It allows the user to access the basic Ether and token wallet functions, and also to interact with smart-contracts deployed on the Ethereum Blockchain. The Parity wallet is designed to integrate seamlessly with all standard tokens as well as manage Ether transfers. It is compatible with Ubuntu, OSX, Docker, and Windows. The vast array of options offered by Parity wallet made it extremely popular in the crypto community."
"What if we no longer had to route our interactions through centralised services? What if data breaches were a remnant of an old flawed infrastructure? Each piece of Parity's technology is a step towards a society run on peer-to-peer networks instead of by a handful of corporations."
"Technology developed by a team of the world’s top blockchain engineers." "60+ developers across fifteen countries. A no-bullshit culture of getting stuff done." "In general, we treat security and consensus code extremely seriously at Parity."
"The original "Foundation" multi-sig wallet code was created and audited by the Ethereum Foundation's DEV team, Parity Technologies and others in the community. Many users rely on it, and it underwent extensive peer review. This body of code continues to have no known security issues. It was restructured by the Parity team into a lightweight "stub" smart contract which is deployed to the network every time a wallet is created, together with a much heavier "library" smart contract, containing the majority of the wallet's logic and which is deployed only once. While there was no formal audit, the contract had received many reviews internally and externally in the context of analyses of the July 19th exploit and the returning of the funds by the White Hat Group both before and after deployment in July."
A "new vulnerable contract [was] deployed on July 20th, one day after the original multi-sig vulnerability had been exploited and fixed."
"The company said that one person “suicided” the wallet, deleting its code and freezing all ether tokens contained within." "[A] bug that got “accidentally” triggered which resulted in freezing more than $280M worth of ETH, including $90M belonging to Parity’s Founder & Ethereum former core developer: Gavin Woods."
"On Monday November 6th 2017 02:33:47 PM UTC, a vulnerability in the “library” smart contract code, deployed as a shared component of all Parity multi-sig wallets deployed after July 20th 2017, was found by an anonymous user. The user decided to exploit this vulnerability and made himself the “owner” of the library contract. Subsequently, the user destructed this component. Since Parity multi-signature wallets depend on this component, this action blocked funds in 587 wallets holding a total amount of 513,774.16 Ether as well as additional tokens. Subsequent to destroying the library component, someone (purportedly this same user) posted under the username of “devops199” issue #6995 that prompted our investigation into this matter."
"The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized. Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts."
"The event occurred in two transactions, a first one to take over the library and a second one to kill the library — which was used by all multi-sig wallets created after the 20th of July."
"The coding “accident” affects all of Parity’s “multisignature wallets” — wallets that require one user to sign another’s transaction before it is added to the ethereum blockchain — which were created after July 20."
"When you are tracking all their transactions, you realize that they were deliberate... Therefore, we tend to think that it was not an accident. We suppose that this was a deliberate hacking. We believe that if the situation is not successfully resolved in the nearest future, contacting law enforcement agencies may be the right next step."
"This rather gives a lie to the idea that this was a one-off accident. Instead it looks as though devops199 was deliberately trying to break the multi-sig system and took a number of tries to do so."
"Although Parity didn’t disclose how much ether is currently frozen, French hacker Matt Suiche said in a blog post Tuesday that the code wipeout means that more than $280 million worth has been locked."
"To the best of our knowledge the funds are frozen & can't be moved anywhere. The total ETH circulating social media is speculative." "We are working on confirming the exact details and will inform the community as soon as we have them."
"We have reached out to affected users and are encouraging all those that we have not yet been able to reach to contact us community@parity.io. We recognize that the issue has, among other things, caused distress and anxiety about the future of projects and funds in our community and we are working hard to explore all feasible solutions."
"We deeply regret the situation and we are working hard on several Ethereum improvement proposals(EIPs), both contributing to previously existing ones and suggesting new ones that have the potential to unblock funds. These improvement proposals will also address general cases of blocked funds."
"There is no timeline for when such an improvement proposal could be implemented; we will follow the will of the community and go through the regular EIP process like any other protocol improvement. Parity Technologies will handle much of the development work around these proposals and work constructively with the Ethereum Foundation team and the community towards further protocol layer development. We are committed to the continued development of Ethereum."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| November 6th, 2017 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $280,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
One of the key features that a successful multi-sig needs is simplicity, such that security can be certain. Having complexity on a multi-sig defeats the purpose.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 'Accidental' bug froze $280 million worth of ether in Parity wallet (Jul 27, 2021)
- ↑ @stonecoldpat0 Twitter (Jul 27, 2021)
- ↑ Parity Hack - 513k Ether ($154m) - Google Sheets (Jul 27, 2021)
- ↑ The $280M Ethereum bug. – Comae Technologies (Jul 27, 2021)
- ↑ @dguido Twitter (Jul 27, 2021)
- ↑ update wallet library modifiers · openethereum/parity-ethereum@6b0e4f9 · GitHub (Jul 27, 2021)
- ↑ @ParityTech Twitter (Jul 27, 2021)
- ↑ "I Learn Blockchain"-XII. Ethereum Security Parity First Security Incident Vulnerability Analysis - Programmer Sought (Jul 27, 2021)
- ↑ Parity Multisig Wallet Hacked, or How Come? (Jul 27, 2021)
- ↑ @ParityTech Twitter (Jul 27, 2021)
- ↑ Twitter icon (Jul 27, 2021)
- ↑ Twitter icon (Jun 23, 2021)
- ↑ List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23, 2021)
- ↑ A Postmortem on the Parity Multi-Sig Library Self-Destruct | Parity Technologies (Jun 23, 2021)