ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Wednesday Dec 13th 2017
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

Parity Acknowledges It Could Have Prevented Freeze

By

Adam

Reese

WriterETHNews.com

Parity has admitted that it was planning to take steps that would have averted the freezing of over 500,000 Ether, but that it failed to do so in time because it did not realize the urgency of the problem.

Parity, the company that made headlines when an anonymous user took ownership of and suicided the EDCC that served as a library contract in some of its wallets, effectively freezing some 513,774.16 Ether belonging to 573 users, has analyzed the incident in a November 15 post-mortem.

According to the report, Parity could have averted the freeze if it had been faster to follow a suggestion by a GitHub user who proposed that the next time the company revised the code of the library contract (by copying the existing code, modifying it, and deploying the contract anew), it should call the initWallet function, which would have prevented any non-company actor from obtaining ownership of the contract. Parity’s statement says it incorporated the function in the contract’s constructor, meaning that an owner would have been automatically assigned when the library contract was redeployed. However, because the company considered the fix a “convenience enhancement,” it delayed its implementation, bundling it with “a regular update” that would be rolled out “at a future point in time.” In fact, because the library contract is architected to deploy only once, Parity could have called the initWallet function at any time, not just after the implementation of an update, and it would have removed the vulnerability that allowed the freeze to occur. Furthermore, by applying the code changes suggested by an unaffiliated developer who started the above-mentioned GitHub thread by proposing a different set of modifications to the contract, the company could have avoided its current predicament.

Parity says that while the “original ‘Foundation’ multi-sig wallet code … continues to have no known security issues,” the library contract, built by modifying a copy of that code, “still contained the original self-destruct function that is designed for retiring the wallet” and, like the wallet from which it was cloned, “required initialization.” Therefore, the company admits, it could have also precluded the freeze by eliminating the ability to suicide from the library contract.

Looking ahead, the post said,

“However, rather than just having more audits, we strongly believe that more extensive and formal procedures and tooling around the deployment, monitoring and testing of contracts will be needed to achieve security. We believe that the entire ecosytem [sic] as a whole is in urgent need of such procedures and tooling to prevent similar issues from happening again, in particular if and when the number and complexity of live contracts grows.”

The Parity team, according to the post-mortem, is “working hard on several Ethereum improvement proposals” (EIPs). According to a November 13 announcement, this includes EIP156, which was originally proposed by Ethereum creator Vitalik Buterin. ETHNews previously reported that the Ethereum Foundation’s head of security, Martin Swende, suggested modifications to EIP156 in the wake of the freeze. The post-mortem states that “Parity Technologies will handle much of the development work around these proposals and work constructively with the Ethereum Foundation team and the community towards further protocol layer development.” Swende had previously told ETHNews that he hopes “the discussion [around how to proceed] can be carried forward without the foundation acting as a central authority.”

Parity concluded its post-mortem with a list of additional steps that it is taking in response to the suiciding of the library contract. First and foremost among these is freezing “the ability to deploy multi-sig wallets until … we can be confident this will not happen again.” Parity will also commission a “full-stack external security audit of all existing sensitive code” to identify any existing vulnerabilities and will ensure that moving forward, “all necessary contract deployments are adequately linked to [a] code alteration and review process,” one that is expected to involve a “checklist for deployment.” Additionally, the firm will support research on “other smart contract languages and tooling,” and “extend [its] bug bounty program.”

Adam Reese

Adam Reese is a Los Angeles-based writer interested in technology, domestic and international politics, social issues, infrastructure and the arts. Adam is a full-time staff writer for ETHNews and holds value in Ether and BTC.

ETHNews is commited to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest Parity, freeze or other Ethereum wallets and exchanges news.