The Case of Frozen Ethereum: Wallet Company Knew About the Flaw for Months But Delayed the Patch
The flaw that enabled a user named “Devops199” to freeze millions of dollars in Ether last week, was actually known but a patch for it was delayed by the company. In a report published by Parity, an Ethereum wallet company, the firm has said that it became aware of the coding flaw in August but considered it a “convenience enhancement” delaying its patch for a regular future update.
Parity knew about the critical Ethereum coding flaw for months before it was exploited
The flaw had enabled a user to call a function called “initWallet” to become an owner of a multi-signature wallet, after which they had called a “kill” function, destroying it and other multi-sig wallets.
“In August, a Github contributor called “3esmit” recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement,” Parity said. “Thus, we committed this proposed enhancement to the library contract that would automatically initialize it by calling initWallet on construction.”
Interpreting the recommendation as enhancement, the changed code was to be deployed in a regular update at a future point in time.
After Devops199 called the kill function, an estimated $300 million dollars were frozen. Parity has put the figure at around $170 million (in today’s ETH rates) as it said that 587 wallets holding a total amount of 513,774.16 Ether as well as additional tokens were affected.
“What kind of reviews did you have if you didn’t detect this? Like it’s in the definition of libraries, they shouldn’t have state, and they should obviously not be possible to be disabled,” one user wrote on Reddit. “I know it is easy to be smart in hindsight, but these are huge design errors, I can’t comprehend how could this pass reviews in the architecture phase.”
“This response is concerning to say the least,” another said. “Nowhere do they accept any responsibility for the problem.”
As for what happens next, the company is still looking into options or Ethereum Improvement Proposals “that have the potential to unblock funds”. In its report, Parity has also added the buzzword of a bug bounty program. However, it is evident that the company probably needs to focus more on patching things up than finding bugs since even with the company’s own admission they knew about the flaw for nearly 3 months before it was exploited – whether accidentally or not.