Posted on

Parity Multisig Wallet Hacked, or How Come?

Background

Multisignature wallets are smart-contracts designed to manage crypto assets by the consent of multiple wallet owners. This type of wallets usually allows to set daily withdrawal limits, vote for withdrawals, vote for ownership changes, etc.

With the big surge in crypto prices this year, many people are now holding significant amounts of crypto assets. It is worth taking security more seriously and putting your assets, or at least most of them, into a multisig wallet is a good step toward that. That enhances security for a process that moves lots of funds quite quickly. If you own a multisig wallet, you need multiple “signatures” to move funds out of the wallet. In fact, these signatures mean multiple private keys.

This alternative to holding value in simple user accounts appeared in 2012. Multisig wallets are especially favored by cryptocurrency startups and other groups, as they are a safeguard against hacker attacks aimed at the asset holders. This is because they allow some of the owners’ accounts to be compromised while retaining full control of the money. Of course, it also helps against sneaky employees who might want to run off with the money. For this reason, multisig wallets are also a popular way of storing cryptocurrency raised in ICO.

Several years ago Gavin Wood, Ethereum cofounder and CTO established EthCore, a non-profit organization that develops software for Ethereum infrastructure, which later changed its name to Parity Technologies. One of its products is Parity, an Ethereum client that provides a web interface for the underlying Ethereum node software. It allows the user to access the basic Ether and token wallet functions, and also to interact with smart-contracts deployed on the Ethereum Blockchain. The Parity wallet is designed to integrate seamlessly with all standard tokens as well as manage Ether transfers. It is compatible with Ubuntu, OSX, Docker, and Windows. The vast array of options offered by Parity wallet made it extremely popular in the crypto community.

Attack

Multisigs are distributed to users as smart-contract source code: whenever someone wants to get one, they take the current code from the repository, deploy the contract onto the Ethereum Blockchain, then set the owners, place the funds, etc. Each wallet is a separate instance of the code.

In the case of Parity, some of the essential elements of contract logic, including the withdraw function that allows to take funds out, was placed in a library. A library is an already deployed smart-contract that is used by every Parity Multisig in existence (starting from a particular version). Such code separation can theoretically be a good thing: for instance, shaving off gas costs for users that have to deploy less code. Unfortunately, it also means that, should the library be broken in some way, it will affect every contract depending on it. And no contingencies were included.

On November 6–8, it was discovered that it was possible to initialize the library itself as a wallet, claiming owner rights for it, including the right to kill it altogether. All the deployed dependent contracts would then become useless. After killing the library, the attacker probed several deployed multisigs in order to try and change the owner list and withdraw the funds, retracing the steps of the July exploit. Between that and the GitHub issue claiming incompetence, the question of the attacker’s motives remains unclear.

According to crypto eli5, 151 wallets have been frozen, with their balances being 513,743 ETH or $152 million in total. Parity Technologies announce that 573 wallets have been affected and their total balance is unknown.

General reaction

Disbelief was the first and most common feeling experienced by members of the crypto community. Oh, they wished to unsee this amount of around $154 mln locked due to the allegedly random actions of some newbie! It has not only crushed Parity’s steady recovery after the notorious hack in July, but also made some users consider the limit of security fails and whether Parity has reached it.

The first reaction to the funds being frozen was sheer panic – only six months past the July hack the repetition seemed impossible, although the most reasonable community members at least began to consider cryptocurrency safety as priority. As soon as Parity provided official explanations, the panic gave place to distrust, as affected users found themselves at a loss.

Parity recently claimed that they treat safety and security issues seriously – so, how could such thing happen? One of the major concerns is that the bug had existed for some time before the crash. It affected the wallets created past 20 July 2017, i.e. after a hotfix driven by the hack.

A vulnerability in the then-current version of the Parity Multisig wallet was exploited, leading to $30 mln being stolen and another $180 mln rescued by a white hat hacker group, then subsequently returned to the rightful owners. Following the attack, Parity Tech deployed a new version of the wallet that, as it turns out, introduced another vulnerability. This led some users to complain on Parity’s insouciance regarding their funds and botched debugging process prior to the update release. The fact that the exploit was probably initiated by a clumsy newbie (as he himself has claimed), doesn’t give credit to the company either.

Parity answers in the most careful way, avoiding any certainty. Who can blame them for trying to calm the tumult? However, a user seeing phrases like “to the best of our knowledge” believes that developers don’t control the situation at all.

As a result, we see a whipped-up buoyancy among Parity and Ethereum opponents, for example, from Charlie Lee, Litecoin creator.

The attackers split into two almost equal parts: those who blame the developers of the smart-contract and those who believe the whole company to be guilty. Not to mention some voices claiming that the Ethereum architecture (such as immutable smart-contracts) is to blame. They are usually met with the counter-claim that it’s rather the coding practices and the maturity of development cycle are at fault.

Consequences

About $154 mln remains stuck in the wallets that were affected. Since smart-contracts in Ethereum are immutable, and no relief measures were included in the code, the only way to reclaim the funds seems to be a hard fork of Ethereum network. Otherwise, the Ether is going to remain in the affected contracts forever. This caused more discord in the Ethereum community. Unofficial twitter polls show approximately 50/50 division of supporters and opponents to the initiative, as the previous fork eventually broke Ethereum into two warring networks.

There are several technical possibilities of how such a hard fork can work, including implementing EIP 156 or putting a fixed version of the library back in place. However, this is a controversial issue, bringing back everything that had been discussed in regards to the DAO Hack and subsequent bailout.

Affected parties

Major players don’t rush in with “take it or leave it” propositions, waiting for more details from Parity. As the funds were actually frozen, not stolen, the developer is not pressed by time limits – though some will consider growing discontent of users to be the harder trial.

However, most companies affected by the exploit have already published statements to comfort clients and assure that, one way or another, the issue will be solved.

The multisig used by the Web3 Foundation to accept contributions for Polkadot, also established by Gavin Wood, was the biggest of those affected, putting the ETH in it beyond access. Luckily, the affected multisig wallet didn’t contain all the funds. Hence, the company claims that their original roadmap has not been affected. They are still in the process of evaluating loss and looking for possible solutions, but seem quite serene and confident about the future.

The Iconomi platform and its storage system also claim to be secure. $35 m were stored using the affected Parity Multisig contract and will remain locked until the situation is resolved. But all users’ digital assets stored on the platform are completely safe, and the functioning of the platform is unaffected. The developers of the platform stay positive. They state that the Ethereum ecosystem has already proven itself able to rapidly respond and adapt to unexpected challenges.

The Cappasity platform also assures the users that the platform and the content stored there are secure, and the functionality of the platform is unaffected. Although the funds raised so far during their crowdsale have been stored in an affected Parity multisig wallet, the company retains confidence. The crowdsale has been resumed in regular mode, having switched promptly to another multisig wallet after the attack. It looks like Cappasity was fully ready for the challenge: the existing partners of the company could compensate for the locked funds, if necessary. The team has also conducted their own research on the attack, arriving at a conclusion that there is a great probability of this being a deliberate hack (the evidence is provided at the end of the company’s first official statement).

In general, we see that leading players were acting wisely, as they didn’t put all their eggs in one basket. This seems to be the best possible strategy, as Blockchain is still a nascent industry, and it has to pass through several ups and downs to elaborate the best and safest strategies.

The article is written by Collis Aventinus, a Blockchain expert at Modern Token.

Posted on

ICOs are Here to Stay, Say Valiant Participants in Swiss ICO Summit

Smart Valor have just recently concluded a successful ICO summit in Zurich, organized on Sep. 15, 2017. Switzerland has of late emerged as an incubator for crypto projects, with big names like Ethereum having been developed in the Zug Valley.

Switzerland and Europe as a whole is now emerging as a center of start-up action and Smart Valor are keen to leverage the possibilities that are emerging as a consequence. The Swiss offers a stable and a neutral political environment and is known to be a competitive country with an excellent standard of life. The Swiss are also levelheaded, and perhaps that can be judged by the comment of Nicolai Oster, Head of ICO, Bitcoin Suisse who noted:

“In Switzerland ICOs have never really been the Wild West. At Bitcoin Suisse, we handle ICOs since 2014 and we handle it as a monetary business. It’s money we are transmitting, it’s compliant, it’s regulated, and that’s why I think the best quality projects and the safest are being created here in Switzerland. We never really had this Wild West attitude.”

It is amidst this backdrop that the first ICO summit was organized.

Smart Valor, organizers of the ICO Summit

Smart Valor is in the process of building a protocol that would create a distributed ledger for issuance and distribution of investment solutions. It would be comprised and be of benefit of all stakeholders. Smart contract based incentive mechanisms would be deployed in this protocol. The added advantage is the Swiss ethos of the project which ensures that privacy and security get high priorities. In short, Smart Valor are building private banking Swiss style but putting it on the Blockchain. This would make quality banking and investment solutions more accessible to more people than ever before. Investors will benefit by getting access to a wide variety of asset classes, asset issuers and funds would be able to access liquidity and reach out to a wider investor base and facilitators would get benefits of a Blockchain solution built from the ground up to provide transparency.

Gaining better understanding of ICO phenomenon

One of the reasons Smart Valor chose to hold this summit was to better understand the Initial Coin Offering (ICO) phenomenon and how it is changing startup funding. A carefully curated program was crafted in order to bring together industry experts and advisors so that they could share their knowledge on how successful ICOs are conducted. Michael Terpin of Transform Group, Richard Kastelein of Cryptoassets Design Group, Ransu Salovaara of TokenMarket, Daniel Zakrisson of ICONOMI and Dominik Zynis of Wings were some of the participants. The Zug Crypto Valley was well represented as well by Niklas Nikolajsen, CEO of Bitcoin Suisse, and Olga Feldmeier, CEO of Smart Valor.

Tokens are a new asset class

Tokens, which are issued during ICOs to fund new projects and startups are coming of age as an asset class of their own. They are also posing a dilemma for regulators, this was discussed at the ICO Summit with William Mougayar, General Partner at Virtual Capital Ventures suggesting that it would not be long before these would have to be recognized by regulators as an asset class. He said:

“There is precedent for this for all those who remember General Georges Doriot, known as the father of venture capitalism, and how he forced a rewriting of the US Securities Act of 1940 to allow for stocks to become a new asset class. … And that was something new and now stocks are regulated. … A year from now I can predict tokens are going to be regulated and be accepted as a new asset class.”

Addressing investor risk

When we talk about ICO investing, we are talking about a completely different animal than traditional Venture Capital Investing. Investing in startups has always carried some risk but it can be that ICO investors have different motivations and different outcomes.

Jamie Burke, Founder and CEO, Outlier Ventures described this at the ICO Summit:

“The key distinction to make is that as an investor in an ICO you are not investing in a startup anymore. If executed really well you’re investing in a digital economy and actually you’re backing a community to execute on that. … That really changes the dynamics because if you look at typical VC investing, 90 percent of startups will fail and all the value will be lost and all know-how and teams dissipate, and that is a really inefficient allocation of capital and a really inefficient way to do innovation.”

He added:  

“What is most exciting about this space is that companies that were previously developing proprietary technology and probably on the trajectory of that 90 percent are now looking at open sourcing their intellectual property. For me, that is the most exciting thing, but it also makes investing in this space I think less fragile. You can talk about valuations and all this stuff, but you are not valuing a startup, you’re valuing the ability of a community to execute on an open source project. These are less likely to fail because if any one team fails to execute the open source community can pick it up. So I look at it almost as a relay race rather than a sprint.”

Bitcoin and ICOs will thrive even if China ban materializes

The recent actions of the Chinese government in banning crypto exchanges in the East Asian country may have cast a pall of gloom on ICOs and tamed down some of the excitement but it is certainly neither the end of digital currencies like Bitcoin or ICOs.

As Olga Feldmeier, CEO and Founder of Smart Valor put it:

“What we hear from China these days is of course very worrisome. It is not good news. But will it really be a significant breakdown or problem for Bitcoin? I don’t think so. We have seen the same thing already in Russia a couple of years ago. Putin said he would throw everyone in jail for four years if they simply touched Bitcoin. But what happened? The country became one of the largest volume traders. Concerning China, I am not worried. I think it is a great opportunity to buy for those who didn’t.”

Charles Hoskinson, Founder of IOHK added:

“Why is anyone surprised that a country like China that built a giant firewall, is upset and scared about free money, especially when they have capital controls? Right now we have a changing regulatory environment and it’s frustrating, but the truth is, the genie is out of the bottle and we are in control of our own money. In tokens, we have found the stem cell of asset classes and we can do whatever we want to with it. As a consequence of this freedom, we now have a lot more responsibility as individuals, but we also have a lot more financial freedom.”

ICO Summit creates a positive momentum

There were over 500 attendees at the Zurich ICO Summit and another 2,000 joined through livestream. People came from 30 countries to be at the summit. Smart Valor managed to pull off the summit and make it a grand success. They also managed to dispel some doubts about ICOs and showcase the potential they have in redefining funding for emerging projects and startups.

This is a nascent stage for ICOs and also for our understanding of this new emerging model of raising funds. It is perhaps why that Smart Valor will hold a second edition of the ICO summit at the beginning of 2018. It is through these type of get-togethers that self-regulation can emerge and the quality of ICOs be improved. A new code of practice, if it emerges would be of great help to investors, facilitators as well as asset issuers.