A 3 minute guide to hacks and forks in cryptocurrencies
In May of 2016, an Ethereum project by the name DAO or “Decentralized Autonomous Organization” was able to raise $110 Million dollars, making it the largest crowdfunding campaign not only in ICOs, but also the largest crowdsourcing in human history.
Only two months after its launch, a series of vulnerabilities in its software were found, and hackers were able to steal over $50 million dollars in Ether (Ethereum’s currency), causing the price of Ether to drop from $20 to $13 per coin.
The hack was so significant that it quite literally split the Ethereum community. Some wanted the hackers to keep the money and others did not. So the decision was to split Ethereum into two tokens, through an event called a hard-fork. Those who didn’t want to revert transactions before the hack became “Ethereum Classic” or ETC and those who reverted the effects of the hack were part of “Ethereum” or ETH.
A year later, in July 2017, an Ethereum client by the name of Parity (produced by Parity technologies) lost approximately $30M in Ether to a bug that allowed for Ether in the parity multisignature wallet to be drained to other accounts. However since the exploit was discovered by benevolent people the money was returned and Parity was encouraged to do a security audit of their code. However it appears that they did not do so and another (very similar) exploit was found on Nov 7th which froze over $300M worth of ETH in parity multisignature wallets.
The $300M Parity Hack
Computational power is expensive on Ethereum. So the creators of Parity decided to handle wallet transactions through a lighter version of their contract, called a stub, which forwarded all contract calls to a master contract. However there was a bug in the implementation which could change the ownership of the master contract. The developers also had a self-destruct clause within the contract.
An unknown user by pseudonym “devops199” found this vulnerability and changed the ownership of the master contract, and then triggered the self destruct. Since he destroyed the master contract, all the stub contracts code was also destroyed. Causing all funds to be locked.
To be clear, the vulnerability was a mistake by Parity, and not a vulnerability of the Ethereum protocol itself.
In technical terms:
Parity wallets had normal multisignature wallets where each new user deploys a new contract with a full copy of the code. To reduce transaction fees, parity then changed the new wallet deployment to a stub contract that forwarded any contract code calls to a master contract using a delegatecall function instead of having a full copy of the code. This let the master contract execute the required piece of code in the context of the stub contract.
However parity did not remove the selfdestruct function in the master contract (this function makes sense if it was just a contract created for one particular user who does not want to use it anymore, but not when this contract code is shared amongst all users). Parity furthermore did not set the contract ownership of the master contract. This allowed someone to set themselves as the owner and then call the selfdestruct function.
This action destroyed the code used by all the stub contracts deployed since July 20. Those stubs therefore do not have access to functions that let them withdraw the Ethereum they contain locking them out indefinitely. Thus the master-stub design change which was the root cause of Parity’s previous multisig hack also caused this very expensive bug.
Conclusion: So what’s next?
Even if we fork Ethereum again, into some new form of new Ethereum, there will be no guaranteed way to recover the funds. Unfortunately, it looks like there has to be a new kind of fork, or the money will be locked forever. This is both the benefit and the problem of smart contracts, and the inflexibility of the Blockchain.
Interestingly enough, the price of Ether has not deviated much since the hack. Which may show that there is more confidence in the network than ever.
Looking to help?
Support us on Bountey! https://www.bountey.com/bestoficos
Want to stay up to date in ICOs?
Visit us at https://thebestoficos.com
Have an interesting story?
Write us at firstname.lastname@example.org