A bug in popular third-party Ethereum wallet Parity has caused three ICOs to be drained of their funds to the tune of over $32 million.
The Parity bug in question meant that certain multi-signature wallets were in fact zero-signature wallets.
Three ICOs appear to have been affected: Edgeless Casino (@edgelessproject), Swarm City (@swarmcitydapp) and Aeternity Blockchain (@aetrnty). The total amount initially stolen seems to be 153,000 ETH (around $32 million).
However, it appears that most of the funds were taken by white hat hackers to this address. The hackers released a statement saying they scanned the entire blockchain for vulnerable Ethereum contracts that were affected by the Parity bug and decided to take action by taking the Ethereum coins before they could be stolen.
The white hat hackers promised to create new, secure, multisig smart contracts where the original owners can use their existing credentials to reclaim their coins. This white hat hacker address currently stands at 373,000 ETH ($73 million).
Parity is a third party Ethereum client. It is faster and much more stable than the official GETH client, which has severe issues when downloading the blockchain for the first time. For many, Parity is the only way to use Ethereum reliably. Within hours, Parity announced it had updated the code for its multisig wallets, and that going forward, any multisig contracts created with Parity will no longer be affected.
Ethereum co-founder Vitalik Buterin dismissed the idea of another hard fork to return the stolen funds, as happened in the case of the DAO heist in June 2016 in which a bug in the DAO’s code enabled an attacker to get 3.6 million ETH out of 11.5 million ETH in circulation at the time. (One ETH then was worth under $20 – today it is just under $200, falling around 13% since the Parity hack).
Buterin said that the ecosystem had matured since then, and that – as a percentage – the DAO attack was much greater. Most importantly, he added, today’s attacker can simply move funds, so a hard fork is impossible. In the case of the DAO, the code imposed a delay before funds could be transferred, giving the Ethereum developers time to put out a fork to block and return the funds.
At the time, many questioned if it was wise to hard-fork Ethereum to reverse the damage given all the talk about an immutable blockchain and the code-is-law mantra. Many disagreed with the decision and the original Ethereum blockchain continued on, with the attacker getting the money under the name Ethereum Classic (ETC). High on the list of arguments against a hard fork was that it set a precedent and would open the floodgates for law enforcement to demand hard forks in the future to seize funds.
Now, with the emergence of the Parity bug, the debate has resurfaced, and some investors who had their funds stolen are threatening to sue Buterin if he does not hard-fork Ethereum yet again to return the Ethereum coins taken in this event.