The head of security at Ethereum Foundation is quoted saying that a hard fork is required to free the $150 million dollars that were locked as a result of a hack in Parity, the second most popular Ethereum wallet.
As JustCryptoNews.com reported, on November 7, 2017 Parity based multisig contracts were hacked which resulted up to $150 million dollars frozen. According to a discussion in Github, the Parity hack resulted from a novice user trying random commands. He admitted that he did that accidentally even though he was not the owner of any multi-sig wallets.
Now, Parity and the Ethereum network are trying to find a resolution to free the funds.
Martin Holst Swende, head of security for the Ethereum Foundation, confirmed that a hard fork of the Ethereum blockchain is required.
Speaking at Coindesk, Holst Swende noted that there is “no way to recreate the code without a hard fork” and emphasized that “any solution which makes the locked funds accessible requires a hard fork."
This is not the first time Ethereum will need to hard fork as an emergency to free funds. Last year, Ethereum hard forked from the original blockchain to save millions of dollars stolen as a result of the famous TheDAO hack. That hard fork was not peaceful however, as many miners continued mining the old blockhain which resulted in the Ethereum Classic.
If a new hard fork is indeed needed this time to free the 150 million dollars from Parity multi-sig contract, Ethereum will possibly undergo a similar period of uncertainty as last year. Because, there already voices in the community against a new hard fork. On Ethereum reddit, there’s a post saying
"It is not the Ethereum Foundation's responsibility to create custom hard forks to fix buggy smart contracts written by other teams. This will set a future precedent that any smart contract can be reversed given enough community outcry, destroying any notion of decentralization and true immutability."
with most users agreeing that a custom hard fork to fix the Parity contract will hurt Ethereum’s credibility.
According to reports from Parity, the situation is not easy. Parity developers are evaluating many different proposals in order to find the right solution to unfreeze the funds.
Holst Swende says the difficulties they face "are more of a political than technical nature." He has also proposed a potential fix, in which Parity developers would have to recreate the wallet’s code without the exploit. But he said that he would like this to be “spearheaded by the affected parties, not the [Ethereum] foundation."
A solution to the issue would be the deployment of a Ethereum Improvement Protocol (EIP), that Ethereum creator, Vitalik Buterin, opened last year. That EIP allows reclaiming of ether from stuck accounts. But it would still require a hard fork in order to be activated.
Vitalik Buterin, declined to comment on the recent exploit, stating on Twitter: "I am deliberately refraining from comment on wallet issues, except to express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones."
I am deliberately refraining from comment on wallet issues, except to express strong support for those working hard on writing simpler, safer wallet contracts or auditing and formally verifying security of existing ones.
— vitalik.eth (@VitalikButerin) November 8, 2017
Question remains open: How a novice user froze the funds
Parity Tech has yet to make an announcement as to how the library code upon which Parity multi-sig wallets’ functionality relied was wiped out.
We are working on confirming the exact details and will inform the community as soon as we have them.
— Parity Technologies (@paritytech) November 7, 2017
At the moment the last update from the company is this:
Web3 Multi-Sig Wallet Update
On November 6th, 2017 an unidentified person wiped out the library code upon which Parity multi-sig wallets’ functionality relied. The effect of this action is that Parity multi-sig wallets deployed after July 20th 2017 have been frozen. Parity Technologies has released this blog post with more details.
The multi-sig used by the Web3 Foundation to accept contributions for Polkadot was one of those affected, putting the ETH in it beyond access. We understand that others have also been affected, though who and to what extent, is currently unclear.
The affected multi-sig wallet does not contain all of the Web3 Foundation’s funds; our ability to build Polkadot as planned and to the original timetable has not been affected.
The Foundation has not yet understood the sequence of events leading to the user’s suicide call to the contract library, but we are making all efforts to evaluate them, the ramifications and any possible solutions.
This is a dynamic situation and we will aim to provide an update when we can.
This is a very vague announcement. Being Parity one of the top Ethereum wallets, it is quite strange to see the company call "suicidal call" a random user's actions which "accidentally" had such a profound impact. Meanwhile, many wonder about the quality of code inside Parity. As a user wrote on Reddit: