Alt-coin wallet software maker Parity has published a postmortem of the bug that put millions of dollars of people's Ethereum on ice – and has admitted it knew about the flaw for months. It just hadn't got round to fixing it.
Last week, netizens using Parity's multi-signature wallets – which each require more than one person to authorize transactions – that were created after July 20 found themselves locked out of their funds, due to an anonymous miscreant triggering a bug in the code and freezing the crypto-currency collections.
It was thought as much as $280m of Ethereum had been permanently trapped in the affected wallets, but this was later amended to $169m, or 513,774.16 ETH.
It was also thought that a user going by the handle of devopps199 accidentally created a corrupted wallet, which then had a cascading effect across Parity's user base, locking people out of recently created multi-signature collections. Subsequent analysis of the cockup alleged the lockdown was no accident, but a deliberate attempt to bork Parity wallets. The software maker has not commented on the claims.
In this latest report, however, Parity said it was warned of the programming flaw by a user in August, months before the wallet freeze was triggered. After examining the issue, the developers determined it really was a potential problem, and resolved to issue a fix "at some point in the future."
That future didn't come soon enough for the owners of the at least 70-odd Ethereum wallets knackered by the bug.
"Parity Technologies regularly employs external auditors for formal audits of smart contracts that we write," the outfit said.
"However, rather than just having more audits, we strongly believe that more extensive and formal procedures and tooling around the deployment, monitoring and testing of contracts will be needed to achieve security. We believe that the entire ecosytem as a whole is in urgent need of such procedures and tooling to prevent similar issues from happening again, in particular if and when the number and complexity of live contracts grows."
Parity said that it deeply regrets making the coding error that led to the wallet freeze and the loss of the millions of dollars they contain. As a precaution, it has stopped issuing multi-signature wallets, and insists its standard Ethereum holding software is fine.
As for actually unlocking up the trapped funds, Parity said it has no immediate solutions. It said it is considering several Ethereum improvement proposals to put to the community, is carrying out a full-stack external security audit of its existing sensitive code, and promises to expand its security team.
Ethereum prices are currently $330 per coin, and have risen slightly since the Parity snafu. ®