A BUG in Parity Wallet ..Led to the freezing of $ 280 million worth of ETHERUEM

in #etheruem7 years ago (edited)

The $280M Ethereum’s Parity bug.

A critical security vulnerability in Parity multi-sig wallet got triggered on 6th November — paralyzing wallets created after the 20th July.

As you may have read, Parity issued a security advisory today to inform its users and developers about a bug that got “accidentally” triggered which resulted in freezing more than $280M worth of ETH, including $90M belonging to Parity’s Founder & Ethereum former core developer: Gavin Woods.

Sans titre1.jpg

How long has this bug been around for?
As Dan Guido points out, this new vulnerable contract has been deployed more than 100+ days ago on July 20th, one day after the original multi-sig vulnerability had been exploited and fixed.

Sans titre2.jpg

The Bug
A user named devops199 claimed he triggered the bug “accidentally” and reported it through a GitHub ticket.

3.png

The newly deployed contract, 4.jpg, contains a vulnerability where its owner was uninitialized. Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts.
The event occurred in two transactions, a first one to take over the library and a second one to kill the library — which was used by all multi-sig wallets created after the 20th of July.

Transaction #1

In the above transaction, the user initialized the owner to himself a.jpg of the Parity library using the b.jpg function which is the function that was originally exploited on July 19th. Assigning an owner to the library directly enabled the user to convert the library into a regular multi-sig wallet.

Sans titre4.jpg

Transaction #2

After initializing himself as owner of the library (now regular multi-sig wallet), the user was able to call the c.jpg routine which resulted in paralyzing all the wallets that were dependent of this third party library. This affects all the wallets created after 20th July, since they can’t use this library anymore.

Sans titre5.jpg

Conclusion

Even though the vulnerable smart-contract was open source and deployed months ago, this bug managed to escape code review done by the Parity team.

Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens.

The fact that libraries are global is also arguable, this would be shocking if it was how our daily use Operating Systems would work. Modern O.Ss improved their security over the past 20 years mainly because of all the security mitigations being implemented (NX, KASLR etc.), those mitigations come from the compiler and the O.S. itself. Every time a new class of bug is discovered, hardware and O.S. vendors work on kill the class of bug — hardforking should not be the only solution to problems. Writing virtual machines, and compilers is hard.

We have seen a lot of enthusiasm from a lot of people about blockchain-based smart contracts, and the general assumption from users is that they would be secure. But just like any other piece of software a smart-contract can be vulnerable.

All the recent security issues around smart contracts are challenging more and more the sustainability of storing money on a blockchain-based programmable software layer.

source:

https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513

Sort:  

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513