There are many valuable lessons to be learned from the recent Parity multisignature bug. It is unacceptable that so many wallets have had funds frozen without a viable solution to undo the damage. More specifically, this issue has persisted for quite some time now, and it seems things are not necessarily improving. As the ARToken team points out, there are some things that will need to change to prevent history from repeating itself.
Ethereum Still has a lot of Issues
It is always easy to point the finger at the Parity team for their mistakes. While they are the sole party to blame for not fixing the exploit in time and postponing the fix for no good reason, the technology they have to work with is not without its flaws either. As much as most people would like to think otherwise, the Ethereum protocol and its technological features are a major security risk. Without proper coding and auditing, no money will ever be safe. Criminals know there are weaknesses and they will continue to exploit them for as long as they can.
It is evident that code audits in the cryptocurrency world are very rare. That is surprising, especially when it comes to so-called trustless solutions. “Code is law” is an interesting motto to live by, but it is still code developed by human developers. For all intents and purposes, no coder is bulletproof or unbiased; that is simply a fact. We need proper independent audits of all written code to make things improve rather than deteriorate. Taking responsibility for what is happening needs to become the new normal, instead of writing it off as “their problem, not mine”.
While US$30 million lost may seem like a drop in the bucket – after all, the Ethereum price is pumping hard – it is not something that should go by without repercussions either. Smart contracts, which are often seen as the cornerstone of everything Ethereum has to offer, are simply not secure. They weren’t on day one and they still aren’t today. While everything may seem in order most of the time, the Parity multisignature bug shows how easy it is sometimes to manipulate these contracts for financial gain or just to annoy others.
Sadly, there has been no independent audit of the relevant smart contract so far. That’s very concerning, as it demonstrates the team isn’t eager to take proper responsibility for the bug. This degree of irresponsibility will hinder the growth of Ethereum in the long run. It appears a lot of people have forgotten this is not the first time Parity has made a mess of things. It was successfully attacked five months ago as a result of another major smart contract bug.
We are not just pointing the finger at Parity, though. It’s also up to the original Ethereum developers to step up and push for more code audits. Vitalik Buterin distanced himself from the Parity issue by stating that he “won’t comment on wallet issues”. However, he also mentioned that he is a big supporter of those working hard on “auditing and formally verifying security of existing ones.” That’s a noble statement, but the real message has mostly fallen on deaf ears so far.
All of this goes to show Ethereum is not in the good place many people think it is. There are a lot of fundamental issues which will need to be addressed, yet no one is taking the initiative to do so. It is a powder keg waiting to explode at this point, and things only seem to be getting worse. How all of this will play out in the long run remains to be determined. Diehard Ethereum supporters – or fanboys – will gladly tell people to ignore this FUD and look at the technology itself. Unfortunately, that technology is not as secure or as future-proof as they might want to believe.
This is impressively ignorant.
https://uploads.disquscdn.com/images/266007c0c0c5f321267c90eb5ad6102feb160bca0193f4240b2a88198c4efeed.png https://uploads.disquscdn.com/images/12e2fdd070cd65388b6952f214f4e18274e5022bf28d8ee3db488854430d802f.png https://uploads.disquscdn.com/images/d21815da2bb8f40755a65eb6033e829d794aaabd169cc5b630b045b3ac906ff7.jpg https://uploads.disquscdn.com/images/393bbe4d370cb089b78bc95e265c2a6f79a9f64625a51a3c28a83ab0f8f54373.jpg https://uploads.disquscdn.com/images/a90839906b6b00aad8baa1fd2aae4eb88b05358729a7d1944d411dd2966b75b2.jpg https://uploads.disquscdn.com/images/c48b7ba7cd1bb339b7195ff38259e9bbfa184644b046af0f1062424b722eb303.jpg
Granted, Ethereum and all the other coins, tokens, platforms, etc. are immature. Significantly more auditing needs to occur. But calling it ‘a powderkeg’ is beyond hyperbole and is unfair indictment against cryptos in general. Yes, we’ll probably see additional flaws exposed that will have impact but none of these will be a black swan and will only serve to strengthen this space.
This article could not be more incorrect. To blame Ethereum, a platform which has openly communicated it is turing-complete platform for running immutable code of any kind within the constraints of the environment, for the mistakes of others is absurd. To suggest that Vitalik should have any concern or share any fault with the mistakes of others is absurd. The Parity bugs are shame on Parity for releasing without adequate testing and shame on others for using without adequate testing. The only thing that Ethereum could be blamed for are bugs in the Ethereum environment or miscommunicated functionality leading to unexpected behavior, which is not the case here.
Oh and to top it off with the most ignorant comment of all: “Smart contracts….are simply not secure”. This baseless and unsubstantiated blanket-statement demonstrates a complete lack of understanding of the platform, bugs, and situation at hand. Well written and tested smart contracts, once deployed to the immutable environment and their binaries matched and verified to their publicly readable source code, are the definition of secure.
The one correct argument: we need better testing and auditing.
I disagree that auditing would solve the problem. The incentive to find bugs is bigger(more rewards and time) than when testing. But I think the solidity is overcomplicated, we should probably stick with something very simple and concise, something like assembly coding.
Lot of Ethereum hodlers in the comment section are upset, but the author is correct. The biggest problem here is most people do not and will not have a good grasp of coding language. This is comparable to giving me a contract to sign with the fine print written in Japanese, and having the contract irrevocable in the case something in the contract is incorrect of misleading.
This article is so flawed it almost makes me think it’s by design. Anyhow, as a developer, let me tell you that reading an article that attempts to blame a a platform, Ethereum, for the poor testing and implementation of a software product, Parity, is both laughable and uneducated. While you might be fooling crypto investors who don’t know better, you are having zero effect on actual developers, which is precisely why ethereum is so exciting in the first place– it has an amazing developer platform.
Keep in mind that there is an effect that you may not realize you’re creating. If, by some chance, you’re lying by design, then the more that people learn about and use Ethereum, the less they’ll trust your opinion on it, as the facts of a scenario become clearer. In fact, as Crypto in general becomes more main stream, people will in fact drift away from publications like this, because they won’t trust your impartiality, and so they’ll look for publications that tell a fuller story.
That being said, I still like the site, and it could be that the writer is just basing the article off of what they themselves have read/ But perhaps you should hire actual developers to talk about development related issues, in case this purely a result of the author being unfamiliar with software development as a whole.
How can you both support an article that claims that a platform is to blame for “exploits,” and at the same time admit that the language is new, and so develoeprs don’t know it well. Which is it? Are the developers to blame for not knowing a new language well, and therefore clearly not testing well, or is the platform flawed? lol. You guys have no idea what you’re talking about.
Agree 100%. Article is full of nonsense, truly.
I am not singling out solidity in particular, I think you are misunderstanding my point. I was referring to the fact that the common man(non-techie) likely will never have a decent grasp on really any programming language. This has implications if we are promoting Ethereum smart contracts to reach any sort of widespread adoption. It remains to be seen who is going to be auditing all of these smart contracts as well, and what inventive they may have for doing so.
It doesn’t remain to be seen. Not trying to be rude, but literally nothing you’ve said even makes sense. People who write code in common languages, like C, Python, Java, Ruby, whatever, they write their own tests or they have full fledged teams that write and execute tests against software they’ve written.
Under what circumstance would the “common man,” a non-techie, as you described, be writing software? lol. Wouldn’t you at least have to be a techie who knows how to write software to even be able to write a smart contract?
Solidity is a programming language, so it’s meant for consumption by developers, not regular people who know nothing about writing software. The common man doesn’t write software today, does he? No, not anymore than the common man creates new synthetic drugs, or performs surgery. What are you even talking about?
You would think this would be clear without having to even think about it, but Parity’s developers aren’t the “common man.” The majority of them likely have computer science degrees, and are professional developers. probably very good developers. They just screwed up, shit happens all the time, software isn’t magic. Apparently they needed to initialize some code in their wallet contract and didn’t. Human error and a flaw. It can and does happen in every piece of software in the world, including Bitcoin and all of its wallet hacks 🙂
I know. I know. I’m a terrible person for not being able to simply let go of things. But I can’t let nonsense go so easily. I’m sure my Karma is ruined as a result. But anyway, this statement of yours here: “This has implications if we are promoting Ethereum smart contracts to reach any sort of widespread adoption. ”
No, it doesn’t. Because your entire argument is based off of the assumption that it is irresponsible to let the “common man” have access to solidity, since it’s complex, or too new, and the “common man” could make a mistake and destroy everyone’s money.
Do you realize that the common man already has access to all these tools? Do you realize that the same tools and languages and frameworks that run the software that controls the money in your bank account is available to the common man? No, there is no way in hell that you realize this, because you never would have written what you did. Anyway, it is not the fact that most of these tools are open source, freely available, and widely distributed across the entire world that prevents the “common man” from using them.
It is the fact that the “common man” doesn’t know anything about writing software, and when he stumbles upon those tools and languages, it looks like hieroglyphics and nonsense and math or whatever to them. It’s not accessible to the common man because the common man doesn’t understand it. Anymore than the “common man” understands advanced mathematics. Should we lock up all the math text, to make sure no one builds a weapon of destruction?
Anyway, I don’t mean to be rude, this is not an insult against you, but it is an insult against your argument. Hopefully that comes across. See my other comment to explain why you’re 100% wrong about Ethereum. If you knew better you’d probably be more excited about it.
You can’t blame a platform for other’s buggy apps that live on it. If developers like Parity fail at something, why blame Ethereum? It’s like blaming the internet because it harbors computer viruses. Ethereum’s code is solid, but of course anything that is more capable than basic transactional executions is going to hit bugs here and there. At least there’s one thing we know for sure, if a hardfork is immediately necessary, there are other chains that you know will pretend it’s all unicorns. Ironic, because the biggest critics of Parity not taking any action are also fans of Bitcoin Core never taking any action.
I was not referring to those writing the contracts but those putting their money into something that is irreversible. I feel the parity wallet event speaks volumes to the security concerns with smart contracts even when you have talented developers like Gavin Wood playing an integral role. I do like the idea of smart contracts and think there is a lot of opportunity there but there’s definitely a lot than can go wrong especially for the ones whose money is at stake.
+1
“This article is so flawed it almost makes me think it’s by design” It is. Research the author. He is a Bitcoin hack who only follows Bitcoin cheerleaders on Twitter. He doesn’t follow one Ethereum project or developer which is very telling of his agenda. He obviously has personal motivation to try to FUD Ethereum. I’ve read good Merkle articles before. This is an embarrassment.
” I do like the idea of smart contracts and think there is a lot of opportunity there” How insightful. So the 200,000 Truffle downloads hasn’t been a waste of time by tens of thousands of Ethereum developers. So glad you have determined smart contracts might be useful.
Very bad design!
I think you’re downplaying the seriousness of the Parity Disaster. You can say shit happens but $160 million in funds are now frozen and likely gone forever unless the network is able to fork. Your last paragraph confirmed my point, Even when you have talented developers the chance for to lose peoples’ funds irreversibly is a very really consequence. This is very different than a written contract: Alice gives John x amount of money in exchange for a service, whereas with the same in smart contract form could really mean Alice gives John x amount of money in exchange for a service but Chris(third party) can collect Chris’s funds due to a technicality.
I guess what we are hoping for is that you will arrive at a point? Since the entire premise of bitcoin, ethereum and the like are to move away from complex legal and centralized financial systems into a decentralized system which REQUIRES the use of open source immutable software and relies on the community to test and validate it and ensure that rollbacks (or “bank bailouts”) do not take place, I can’t see a solution from your comment except to abandon all.
I guess here is the question…are you suggesting that Ethereum and the idea of letting others run their code (“apps”) on it is flawed and that only a bitcoin solution which restricts to company approved scripts should exist? Or should we abandon all and just stick with our current banking and legal system?
Adam, with respect, you fundamentally misunderstand this issue, and like Chris said, you’re now going down an entirely different argument which seems to suggest that crypto currency as a whole should be abandoned. Anyhow, I’ll leave one last remark, reiterating what I’ve already said in previous posts. This is NOT an Ethereum problem, it is a Parity problem. I of course agree that losing funds is serious. And I of course in NO WAY agree that Ethereum is less secure or reliable than any other crypto currency, because a) it isn’t and b) this isn’t an issue with Ethereum. It’s an issue with Parity. It’s honestly not that hard. But I agree, Parity should be more careful, and likely will, in the future to avoid these issues in the future for those that use their wallet software.
Anyone who followed precisely what happened in this disaster, and who has a working understanding of Solidity and the EVM, knows that it was 100 percent due to negligence on the part of the Parity team. Solidity and the EVM can be a challenge to learn, much less master, but this was not the problem here. The Parity tam was simply trying to break a contract into two, so that the main part could be a permanently deployed library, and they didn’t think it through — and worse, didn’t act after they were warned, or rather they acted but didn’t follow through. They left in unnecessary functionality to destroy the library contract and therefore to f**k everyone making use of it, and they failed to claim “ownership” so that anyone out there could do so and then use that owner status to destroy the contract. This isn’t even borderline subtle stuff like re-entry issues. It was just a bald screwup, demonstrating that Parity has absolutely no management or team oversight to make sure that even major problems, once publicly identified, are actually fixed — which could have been as easy in this case as claiming the ownership before anyone else did so. A one-minute affair.