After someone going by “Devops199” managed to permanently lock up millions of dollars worth of other people’s Ethereum funds last week, the company that created the vulnerable code published a postmortem on the incident on Wednesday. It doesn’t look good.
According to Parity’s breakdown of the fiasco, the digital wallet company knew about the critical flaw since August and did not address it for months, until it was too late.
This much we already knew: Parity suffered a massive hack due to a critical vulnerability in mid-July, prompting it to push out new code on July 20th. Devops199 was poking around this code for multi-signature Ethereum wallets. They discovered a wallet that didn’t have an owner, and all Devops199 had to do to become its owner was call a function called “initWallet.” So, they did. Now, what Devops199 did next is a point of some consternation: After becoming the wallet’s owner, they called the “kill” function of the wallet, destroying it.
Parity released its postmortem of the incident on Wednesday.
That wallet was actually a code library for Parity multi-signature wallets, making them instantly useless and permanently freezing the funds inside. Multi-signature wallets are designed to have more than one owner, and so they’re popular with companies. After Devops199 killed the code library, the estimated amount of lost ether (Ethereum’s digital currency) was just under $300 million USD. Today’s Parity postmortem pegs that number at closer to $150 million, which is still nothing to sniff at.
According to Parity’s postmortem, a user on GitHub—where Parity’s code is hosted for all to see—named “3esmit” alerted the company to the code flaw in August. “BTW, when you deploy WalletLibrary, the init function will be open in that contract,” 3esmit wrote at the time. “I recommend you calling initWallet on WalletLibrary right after its deploy, just to ensure no one will use it.”