The Parity Hack

@devops199: I accidentally killed it.

It might not be quite as famous as “HODL”, but the concise, tragic comment of poor @devops199 on Github on November 7, 2017 could easily make a list of top ten most famous quotes in blockchain history. Those words marked the loss of about $300 million worth of Ether.

The Parity wallet was a smart contract-based multisig wallet for holding Ether and any Ethereum-based tokens. The contract had (as is generally accepted practice in regular contracts) a self destruct function and a way for the contract to be “owned” so that sensitive functions like… oh, I don’t know, maybe a self destruct function couldn’t be called by just anybody.

The problem is that although it was a regular contract-type contract, it was being used as if it was a library, which doesn’t typically have an owner or self destruct. Therefore it was never initialized when poor ol’ @devops199 came along and started “poking around.” They were able to call the initialization function, thereby gaining ownership of the contract, and then “accidentally” called the kill function, causing suicide prevention hotlines to be posted all over Ethereum subreddits.

Now, poor @devops199 took a lot of flack for doing this. They claimed they didn’t know what they were doing and were just experimenting in order to learn. Which honestly is a great way to learn. A member of the Parity team chastised @devops199 for not properly reporting a vulnerability, which is a valid point, but if @devops199 truly was a newb and not some leet haxor, how would they even know to do that? As a noob, wouldn’t you assume that one of the most popular Ethereum contracts in existence could be poked around at and not completely fall apart? Honestly, I’m surprised it didn’t happen sooner.

There are multiple lessons in this story. First, when you think you’ve tested your smart contracts enough, test them more. Have other people test them. Have strangers test them. Have them audited. Offer a bounty for people to “hack” them on the test networks. I wrote an entire long-winded article over on the web3devs blog about the blatant disregard for proper QA in the blockchain industry. Here’s an excerpt:

I would argue that a programmer cannot test their own code adequately, no matter their skill level. No matter how hard they try to look at a product objectively, the person that actually built that product will subconsciously only be looking at the “happy path”. To find an error in a product you’ve created is emotionally painful. As humans, our brains jump through every hoop we can find to avoid pain

Another lesson to realize is that not everyone out there has a financial incentive with your product. One of the strengths of blockchain technology is that there is typically a financial incentive to play by the rules. Therefore, it would make no sense for someone holding funds in a Parity wallet to “poke around” the contract just to see what was there. If you screw something up, you could lose all of your money. This works when everyone that can see your system is a user of the system. But what about if your product gets as popular as Parity did? Their contracts were being held up as a gold standard and tutorials were written around them. Well, that means you’ll have a lot of noobs poking around that aren’t necessarily using your product and therefore don’t have a financial incentive to play by the rules.

Also, I guess this is another case where perhaps comments could have helped out a bit, maybe? If someone was poking around, found an exploit, but saw a comment in the code about a bounty being offered to report exploits, maybe that person would be more inclined to report it rather than to just see what will happen.

Anyways, while everyone was angry at @devops199 I’m inclined to think it really wasn’t their “fault.” Often times when writing immutable smart contracts, the final blame comes down to the original developer. Keep that in mind next time you’re cutting corners to hit a deadline. Is that deadline really worth $300 million?

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright Solidity WTF 2019
Tech Nerd theme designed by Siteturner