paint-brush
Oops I just lost $156m — the fallout from one novice Ethereum developer’s “accident”by@galka_max
732 reads
732 reads

Oops I just lost $156m — the fallout from one novice Ethereum developer’s “accident”

by Max GalkaNovember 13th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Since the Parity wallet bug was <a href="https://medium.com/web3foundation/web-3-multi-sig-wallet-update-245d30df0fb3" target="_blank">first reported on Tuesday</a>, we have encountered a lot of conflicting information regarding the size and scope of the issue.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - Oops I just lost $156m — the fallout from one novice Ethereum developer’s “accident”
Max Galka HackerNoon profile picture

Since the Parity wallet bug was first reported on Tuesday, we have encountered a lot of conflicting information regarding the size and scope of the issue.

Some sources have reported as much as $300m worth of ether had been lost, while others have quoted a lower number of $150m. As for the number of wallets affected, a Google Docs spreadsheet that’s been making the rounds shows a total of 151 wallets. However, Parity’s own website shows the impact to be much larger with 584 wallets affected.

Even more importantly, we’ve seen little to no information at all regarding the organizations who own these wallets. And if you’re not sure why that matters, consider the chart below.

Many of these wallets belong to companies that raised the money via an ICO. If that money is gone, it’s not just a problem for the company. It’s a problem for everyone who owns its tokens.

Based on the data we’ve collected, here is our assessment of the situation. We examine the magnitude of the impact and the list of companies/ICOs affected.

What happened?

On November 6th (last Monday), an Ethereum developer “accidentally” triggered a bug, wiping out a library of code that Parity’s multi-sig wallets depend on. With the code deleted, the ether sitting inside those wallets is for all intents and purposes unreachable.

Discussion of the issue on Github

The developer is not affiliated with Parity and his Github account has since been deleted.

For a full explanation of how the breach happened, here is a great explainer by Comaelo’s Matt Suiche.

What is the impact?

We count 598 affected wallets with a combined balance of 514k ETH, valued at $156 million based on an ETH price of $304.

The script we used to reach these figures is posted here. Essentially, these are its steps:

  • Loop through every smart contract deployed on Ethereum since July 20. This is the date that the code library in question was created, so any smart contracts that rely on it would necessarily have been deployed after this date.
  • Identify the affected wallets by looking for the string “863df6bfa4469f3ead0be8f9f2aae51c91a907b4” somewhere in the body of the smart contract initialization code. This string is the address of Parity’s code library and it is hard-coded into their wallets.

Affected wallets are identifiable by the presence of the string “863df6bfa4469f3ead0be8f9f2aae51c91a907b4” in their initialization code (image from Etherscan)

  • To determine how much ether was lost, loop through each of the affected wallets and grab its current balance using the JSON RPC API.

You can find the code for this script and the full list of affected addresses here.

As stated above, we count 598 affected wallets. But the damage is not nearly as widespread as that number would imply. 496 of the wallets are empty (balance of < 1 ether). And of the remainder, the loss is heavily concentrated in a few large wallets.

Most notably, 60% of the entire loss ($93m of the $156m total) comes from a single wallet belonging to the Web3 Foundation, an organization closely affiliated with Parity itself. The funds had just been raised a few weeks ago in the ICO for the Foundation’s new multichain project Polkadot.

More below on which ICOs are affected.

Why is there such a large discrepancy in the loss numbers being reported?

In contrast to our loss estimate of $156m, many sources have reported a much higher figure, in the ballpark of $300m. These reports all appear to trace back to a single tweet from Patrick McCorry, a blockchain researcher at University College London, in which he estimates a total loss of $278m.

Shortly after sending out the tweet, McCorry found an error in the calculation and posted a correction, revising the figure down to $154m. That amount was also independently verified on Parity’s own Gitter chat. Yet, the inflated number has continued surfacing in the news, as recently as earlier today.

Which ICOs are affected?

The graphic below displays every affected wallet with a balance of at least 33 ETH (about $10,000). Our data shows 16 of these wallets to be associated with an ICO fundraising.

ICOs impacted by the wallet freeze (graphic and data by: Elementus)

Note: Ownership of these wallets has not been verified with the companies. The associations are our own estimations based on the data we’ve collected.

In summary…

598 wallets are impacted, but only 60 of those wallets have a balance greater than $10,000 (those shown in the graphic above).

The total loss is 514k ETH / $156 million, not $300 million, as many news stories are reporting.

The biggest loser in all of this is Parity itself. They own the $93 million wallet, which represents 60% of the entire loss.

At least 16 of the affected wallets are associated with companies that have raised money via an ICO.

In these 16 cases, it is not only the companies who are affected. Their token holders are affected as well.

Originally published at elementus.io on November 10, 2017.