Someone ‘Accidentally’ Locked Away $150M Worth of Other People's Ethereum Funds
And a hard fork is on the table.
On Tuesday, a single user permanently locked down dozens of digital wallets containing nearly $150 million dollars worth of ether, the unit of exchange on the Ethereum platform, allegedly by accident.
Now, some in the Ethereum community are considering the possibility of a risky network split, known as a "hard fork," to fix it.
The affected wallets—known as "multisignature" wallets because they require multiple people to sign off before funds are moved, making them popular with companies—were all created with Parity, a popular program for digital wallets. Parity multisignature wallets experienced a bug in July that allowed a hacker to steal $32 million in funds before the Ethereum community scrambled to band together to hack back and secure the rest of the vulnerable ether.
According to a blog post released by Parity on Tuesday, the code that fixed the July bug contained another vulnerability. That vulnerability allowed a user known as "devops199" on GitHub, a site for developers to collaborate on open source code, to allegedly accidentally trigger a function that turned the contract governing Parity multisignature wallets into a regular wallet address and made him or her the owner. Devops199 then killed this wallet contract, or, as Parity put it, "suicided" it. This made all multisignature wallets tied to that contract instantly useless, their funds locked away with no way to access them.
If the story is true, it seems like Devops199 was jiggling door handles and when one door opened, they tried to close it and the whole house exploded.
"We are asking for everyone to be patient until the full extent of the issue has been identified and we will communicate any necessary instructions or advice," a Parity spokesperson wrote me in an email. "We are advising users not to deploy any further multi-sig wallets until the issue has been resolved and to not send any Ether to wallets that have been deployed and are in use already."
Devops199 made an appearance in the Parity chat channel after the incident. "I'm [an Ethereum] newbie… just learning," devops199 wrote. "You're famous now lol," replied another user. When I reached devops199 for comment on the incident, they replied, "Sorry… I'm really afraid now… can't talk."
Some Initial Coin Offerings (ICOs)—controversial and lightning-fast fundraising rounds for Ethereum apps—were affected, although it's not clear which ones or how many.
Somewhat ironically, one of the affected wallets was for Polkadot, an Ethereum app launched by Parity's own founder Gavin Wood. Polkadot recently garnered over $100 million in investments from an ICO. "Polkadot will continue as planned," a Parity spokesperson told me in an email.
Potential solutions at this point are murky. Already, users are speculating (or morbidly joking) about the possibility of a "hard fork" to reverse the change and bring back the locked funds. After an Ethereum app called the DAO was hacked last year and an attacker siphoned away more than $50 million, the community decided to create an entirely new version of Ethereum where the hack never happened. This was an extremely controversial and arguably risky maneuver, because if the majority of the community doesn't move over to the new network, a fork can result in serious instability.
After the Parity bug in July saw an attacker steal $30 million worth of ether, Ethereum's inventor Vitalik Buterin took to Twitter in an apparent disavowal of a hard fork fix. The DAO hard fork was justified because the Ethereum ecosystem was "less mature then," Buterin wrote. Ethereum has become more valuable and popular since then, and so this logic may continue to hold.
Buterin did not respond to Motherboard's request for comment.
Parity may see things differently. "At the moment we are looking into every scenario, a hard fork is one of the options," a spokesperson wrote me.
CORRECTION: An earlier version of this article stated that nearly $300 million had been locked away, citing a Pastebin document that was circulating the morning of the incident. Parity Technologies later clarified the exact figure, setting it closer to $150 million. This article has been updated to reflect this information, and Motherboard regrets the error.