Summary of recent Parity hack

Summary of recent Parity hack

Kamal

This is what we understand about the 'hack' that locked up more than $200 million eth yesterday.

Some background about Parity Wallet

It's one of (popular) Ethereum client. Official client from Ethereum project is geth (cli) and Mist (GUI on top of geth) - https://ethereum.stackexchange.com/a/30130

What is Etherium client ?

An 'Ethereum client' is just a term. It refers to any node able to parse and verify the blockchain, its smart contracts and everything related. It also allows you/provides interfaces to create transactions and mine blocks which is the key for any blockchain interaction. - https://ethereum.stackexchange.com/a/279

So what happened yesterday ?

Due to some bug in Parity client, a user with Github handle devops99 manage to claim ownership on a special wallet that hold a library code. He then deleted that wallet, making all other wallets that depended on that library code no longer accessible, locking up some amount believed to be more than $200 million.

What exactly the bug ?

This special wallet does not hold any eth, as it considered as "internal" implementation but instead holding some library code. In ethereum, you can develop a smart contract using a special programming language called Solidity. To ease the development, people built a common code (library) that can be used by others to build their own smart contract. This library code will exists in a special wallet, and other contract that want to use this code will reference this wallet address in their contract.

Now since user devops99 has deleted the wallet, other wallets that depending on that no longer accessible.

Parity employed library driven smart contract development for their multi-sig wallets. Meaning, all multi-sig wallets referenced this single library contract for all their functionality.

An unwitting user took control of this library contract by calling the initWallet function on the library contract, which gave him ownership of the library contract as it had not been initialized (since it was a library contract) and the variable only_uninitialized had not been set. UPDATE:This could have been avoided if, after Parity deployed the library contract, it called initWalletonce to claim the contract and set the initialized variable. Source - https://ethereum.stackexchange.com/a/30130

I still don't understand :( ...

Parity is a wallet. It uses solidity code in ethereum to so multisig accounts. The wallets are all separate contracts but they use 1 shared library contract. This contract had a bug that made a user delete the whole contract. Which means all multisig contracts that used this shared contract as library don’t work anymore. Think deleting libc.
Problem is you can’t get the contract back at the same address, like putting back libc. And you also can’t update all the wallets to use a new contract address. So basically everything in those wallets is lost.

so in eth, the code itself is part of the blockchain ? I mean, I know the contract in eth is some sort of code, but this I assume a bit higher level code, which make sense to be part of the blockchain. But there must be underlying (like an OS) that define the ethereum itself. So which code actually has the bug ?

Yes the code is committed in the transaction. That’s why you can never change it. Other contracts can call code from other transactions.
The bug was in this library code which was in the contract maintained by the developers that was being called by all contracts people deploy themselves as wallets. - #devkini fellows.

============

Join t.me/devkini for Info and Updates on software development and general computing.