Parity Team Was Aware of Multisig Bug but Postponed Implementing Fix

The Parity multisignature issue involving the freezing of Ethereum funds has taken yet another major plot twist. More specifically, the Parity team has acknowledged that they could have easily prevented the freeze but failed to do so. With over 500,000 Ether still locked up in smart contracts, it is evident the company’s negligence was a big factor. How all of this will play out remains to be determined.

Parity is Partially at Fault for Frozen Funds

It is not entirely surprising to learn that the Parity team knew their multisignature implementation was vulnerable to attack. Many people had suspected as much, even though there was never any real evidence to back up such claims. In a recent report, the team acknowledged they were aware of the issue that froze over 500,00 Ether in smart contracts. No one will be entirely surprised by this plot twist, as it was somewhat expected.

For some reason, the Parity team completely misjudged the urgency of implementing a fix to the problem affecting their smart contracts. It is a bit of a surprising disclosure from a company with so much expertise in the field. There is never a good reason not to fix a major problem right away. A lot of innocent people are paying the price for Parity’s lackluster approach to this issue. That’s not an ideal situation by any means.

The multisignature bug itself came in the form of the EDCC, which is the library contract used in some Parity wallets. A hacker successfully killed the EDCC and froze over 513,000 Ether in the process. Had the company taken a suggestion on GitHub more seriously, this issue probably never would have arose in the first place. It is always easy to declare such things after the fact, but the developers messed up royally in failing to take responsibility.

As it turns out, a GitHub user advised Parity to call the initWallet function to prevent non-company actors from obtaining ownership of smart contracts. This implementation was eventually put on the back-burner and labeled a “convenience enhancement” rather than a “security fix”. Of course, they couldn’t have been more wrong in this regard. Ultimately, the team decided to bundle this “enhancement” with their next regular update, and we all know what happened next.

There was no real reason to postpone this implementation, though. The initWallet function could have been called at any time to remove this vulnerability as soon as it was provided by the GitHub community. Alas, the team failed to do exactly that and instead focus on what they assumed was more important. It is difficult to address all issues in the world of software, and there certainly may have been other issues that needed to be addressed as well. Still, the team could and should have handled things very differently; that much is evident.

For the time being, all of the money frozen remains locked and totally inaccessible. The Parity team says it’s still working on a solution, but there is no indication as to when these funds will be unfrozen. Rest assured this is not the last we’ll hear of this issue. It is good to see the team acknowledge they were wrong, but it’s only a Band-Aid on a broken arm right now.