Saturday, 19 September 2020

Yes, this kid really just deleted $300 MILLION dollar by messing around with Ethereum’s smart contracts.

Last year, The DAO, a decentralized ‘autonomous’ investment fund, got hacked for $50 million. In July, a hacker was able to steal $31M of Ether by exploting a bug found in Parity’s wallets. Today, we have the worst hack yet, only this time, the stakes are even bigger and it is all just one big fuck-up.
Two days ago, a user named ‘devops199’ opened an issue on Parity’s Github, titled “anyone can kill your contract”, seemingly wanting to let Parity, a company that provides smart contracts for users of the Ethereum network, know about a vulnerability in their smart contract.
The smart contract that he was referring to, concerns a ‘multi-signature-contract’, which is used by a large amount of people as a ‘digital wallet’ to safely store their Ethereum. Apparently, this wallet had a ‘bug’ in its code. The bug, or, better said, security vulnerability, allowed Devops199 to make himself one of the ‘owners’ of the contract. This gave him the permission to do pretty much anything.
What Devops199 did then, might just be one of the most expensive mistakes ever made:

He ‘killed’ the contract.
Essentially, he deleted the function of the smart contract that allowed the owners of the Ethereum to transfer their Ethereum. He locked the Ethereum up in the contract, rendering it completely useless — forever. Still, it seems like he did not quite understand what had just happened.

“Wil ether transfer by owners work?”
No… No it won’t. You pretty much just deleted a f*ck load of money.
Essentially, everyone who used this multi-sig wallet, can no longer access their Ethereum anymore. Estimations of how much Ethereum was actually in these contracts range from $150 million USD to $300 million USD.
Parity, who also had their multi-sig wallets hacked in Juli, issued a ‘Security Alert’ once again, stating:
“We very much regret that yesterday’s incident has caused a great deal of stress and confusion amongst our users and the community as a whole, especially with all the speculation surrounding the issue. We continue to investigate the situation and are exploring all possible implications and solutions.”
The last thing that we heard from Devops199:

Providing a solution
It should be noted that the Ethereum itself is not actually completely deleted. It still exists; it can simply not be accessed.
Imagine that 280 million USD is stored in a deposit box. Somehow, a random guy was able to walk into the bank and say he was the owner of the security box. He was handed full access without a problem and subsequently permanently deleted the key to the deposit box.. This key, was completely unique and can in no way be recreated again.
There is however, a solution to the problem. We can go back in time to the moment where the key was lost and, you know… not lose it. I am not joking, with blockchains this is actually a possibility.
When the DAO, a decentralized investment vehicle, was hacked earlier this year, all transactions on the Ethereum network were reverted until the point of the hack. In other words, everybody on the network decided to ‘hard fork’ the blockchain from the last block before the hack happened. By doing so, all the transactions that happened from that block on, never took place, including the hack itself. After all, a transaction is only executed when it is included in the blockchain.

However, when the decision was made to hard fork the Ethereum network to recover the funds lost during the DAO hack, a part of the network did not agree with the decision. These people did not agree with going back to the last block before the hack and kept building on the ‘original’ chain instead. Suddenly, there were 2 versions of Ethereum: Ethereum, and Ethereum Classic.
Ethereum Classic still exists to this day, and at the time of writing, it’s market capitalization is about $1.3 billion USD, whereas the ‘forked’ Ethereum chain (the one that reverted the hack) is worth around $30 billion USD.
It is very doubtful that the Ethereum network will opt for a hard fork again, seeing the controversy it caused last time. Maybe Parity’s developers can come up with some magical solution to the problem, but I personally doubt it.
Criticizing Ethereum, again.
It might be time to take a step back and re-think the design of smart contracts. This is not the first time a bug in one of these contracts led to gigantic sums of money being compromised. The Ethereum Foundation likes to brag that Ethereum, as a smart contract platform, is ‘turing-complete’, meaning that pretty much anything can be coded and deployed on top of it. So far, this particular choice of design has resulted in more than half a billion dollar being compromised in one way or the other.
Turing-completeness consistently leads to vulnerabilities, as a contract is naturally only as good as its developer. Ask any developer about how often they accidentally write bugs into their code, with or without noticing, and you might understand why the whole concept of un-audited ‘turing-complete’ smart contracts is terribly dangerous when there is this much money at stake. Design choices have their consequences, and at some point it is time to re-evaluate them. For example, it might make sense for a smart contracting platform to only allow the deployment of ‘pre-vetted’ smart contracts, that are made and audited by professionals.
Of course, that is a very centralized process in a decentralized system. And sure, there are many trade-offs in the meta-design of a smart contract platform. But these trade-offs are worth thinking about, because Ethereum will always be plagued by security issues if nothing changes.
Supporters of Ethereum will say that I should not blame the platform for the mistakes made by smart contract developers and that’s a valid point to some degree. However, let’s not forget that Parity is not run by some unknown, incompetent boy in his puberty, deploying his first smart contracts. No, it is founded Gavin Wood himself, one of the co-founders of Ethereum.
If even his smart contracts consistently have such flaws, how secure will the majority of Turing-complete smart contracts be in the future?

by Thijs Maas 

Legal disclaimer: The insight, recommendations and analysis presented here are based on corporate filings, current events, interviews, corporate press releases, and what we've learned as financial journalists. They are presented for the purposes of general information only. These may contain errors and we make no promises as to the accuracy or usefulness of the information we present. You should not make any investment decision based solely on what you read here.

Creamcoin Marketcap