Nettitude Blog

How $300 million worth of Ether was permanently locked up

Posted by Richard Dennis on Nov 15, 2017 4:37:58 PM

Nettitude Tehnical Researcher, Richard Dennis, explains how $300 million worth of Ether was permanently locked up.

computer_coding

A quick introduction to Ethereum

Ethereum is arguable the second largest cryptocurrency currently in use today. Launched in 2015, it is a blockchain based network, created by a Bitcoin programmer, Vitalik Buterin. While Bitcoin is the first decentralized cryptocurrency, Etherum, while also a decentralized cryptocurrency, wanted to do more with the blockchain, and instead is trying to become a “world computer” in addition to a cryptocurrency.

Is Ethereum different from Bitcoin?

The key difference in Ethereum compared to Bitcoin, is the ability to do “smart contracts” on the blockchain. Ethereum enables developers to build and deploy decentralized applications. A smart contract allows a piece of code to be run on the blockchain. This code for example could allow the exchange to content, money or anything of value. This contract acts as a self-operating computer program and will run automatically when the pre-defined conditions are met. This is due to the nature of the blockchain, where every node on the network will run this code when needed, ensuring this program will always be run and no longer depends on a single machine to do it. Because smart contracts run on the blockchain, they run exactly as programmed without any possibility of censorship, downtime, fraud or third-party interference. 

How did the $300 million worth of ether get locked up?

About $300 million worth of Ether—the cryptocurrency unit of Ethereum - from dozens of Ethereum wallets was permanently locked up, and now will never able to spent. Smart contract coding startup Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced its "multisignature" wallets created after this July 20 contains a severe vulnerability that makes it impossible for users to move their funds out of those wallets.

A theft of $32 million of ether occurred from Parity, the wallet provider in July 2017. This was caused by a vulnerability in how the multisignature wallets are used. A multisignature wallet requires 2 out of 3 keys to authorize a transaction, instead of the classic wallet requiring only a single key, this prevents a single user from being able to spend the funds, instead requiring a third party now to authorize the spending of the funds. In attempting to fix the bug which caused the theft, a new vulnerability was created in the library contract, allowing a single user “Devops199” to gain control of every multisignature wallet as the main owner. This would mean Devops199 would be able to spend all funds in the wallet.

Devops199, once realizing what happened attempted to fix this issue by deleting the code. This however, locked all funds into multisingature wallets permanently with no way to access them. The deletion of the code, now means the wallets does not contain any internal logic, so do not know what conditions need to be met before sending transactions and does not contain the private keys for the addresses either. Developers are currently exploring potential solutions to recover access to the funds, but early reports indicate that the funds would only be recoverable through a hard fork to the Ethereum platform.

Can this be fixed?

A hard fork is where the developers of Ethereum recode the blockchain to give back the lost funds to its owners. However, this now breaks the security model of a decentralized network, which is designed to have no single entity control it, by showing a small number of developers can add data to the blockchain as they please.

Would this happen again?

This type of bug only effects a parity a wallet provider and now the ethereum protocol, however since wallet providers are common for all cryptocurrencies including Bitcoin, it is very possible this type of problem will occur again.

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts