Ethereum != Parity Bug

Today, someone on the internet who uses the handle “devops199” killed a contract on the Ethereum blockchain that was required for Parity multi-sig wallets to function.

WAIT! Don’t leave so fast just because that sounds overwhelmingly confusing. 

No wonder the Average Joe is panic selling his Ethereum. These technical introductions tend to sound overly complicated – and some people really did lose an awful lot of money. But, this isn’t actually Ethereum’s “fault”.

Here’s a break down – point by point, so everyone can understand exactly what happened.

  • Ethereum: a distributed global computing platform that developers can use to write smart contracts and decentralized applications in a programming language called Solidity.
  • Smart Contract: is a contract that can be enforced by referencing instructions and data the blockchain
  • Ether: the cryptocurrency that is part of (and required for interactions on) the Ethereum platform
  • Wallet: software or hardware that helps users manage public/private keys for controlling access to cryptocurrencies
  • Multi-Sig Wallet: a wallet that requires multiple parties to sign a transaction involving a cryptocurrency before it can be validated on the blockchain
  • Parity: an independent organization that develops things on/with/for the Ethereum blockchain.
  • Parity Multi-Sig Wallet: a multi-sig wallet developed by the Parity organization.
  • devops199: someone on the internet… now semi famous.

* * *

  1. Because Ethereum is a public blockchain, anyone—including devops199—can view the contents of the blockchain at any time. They can interact with the blockchain by paying some Ether.
  2. devops199 found a smart contract on the Ethereum blockchain that was developed by Parity. This particular smart contract was required for any Parity multi-sig wallet to authorize the movement of Ether it managed.
  3. devops199 took ownership of the smart contract, because Parity did not program the smart contract in a way that would have prevented this. Parity had a vulnerability in their smart contract.
  4. After taking ownership of the smart contract, devops199 killed the contract – (this interaction famously cost him .27 USD in Ether).
  5. At this point, anyone relying on Parity’s Multi-Sig wallet to store/manage access to their Ether—which itself depended on the smart contract that had been killed—lost access to all Ether therein.

* * *

The Ethereum blockchain acted exactly as it had been programmed. The problem is that Parity hadn’t made this random kill call an impossibility – and so it actually worked when devops199 tried it.

You can blame devops199, you can blame Parity, you can blame the users who trusted their Ether to a third party and a contract that wasn’t properly audited.

But you cannot sincerely blame Ethereum.

Some people are blaming the Solidity programming language itself, and by extensions Ethereum. This is about as misguided as blaming Java for an Android APP misbehaving.

This whole space is all very new, and bugs will pop up no matter what language is used to write smart contracts. DAPPs are the future, but without central authorities to appeal to – so is personal responsibility. A wallet DApp is a small subset of possible DApps – and obviously the stakes are very high for any wallet implementation.

Millions of dollars in digital assets cannot be lost by third party mistakes… unless that third party is first given some level of control over those assets.

Never put a third party between yourself and access to non-trivial amounts of your digital assets. That was the entire reason for the development of the blockchain!

 


 

P.S.

My sincerest condolences go out to the people affected by this unfortunate set of events. However, all parties involved with how and where to store the affected Ether share the responsibility for what happened. A programming language and/or a distributed computing platform are not convincing scapegoats.

8-Nov-2017: Fixed a typo.