The Register: Parity Calamity - Ethereum

[John Hjorth]

The Register: Security - Parity Calamity - Wallet Code Bug Destroys $280 MEELION in Ethereum.

 

Ouch.

[rkbabang]

oops!

 

"devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update"

 

"Gavin Woods, admitted today that a user calling themselves devops199 had "accidentally" triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods' own savings."

 

 

 

Paper wallets are still the safest.  I'd never hold millions of dollars in a software wallet.  This wasn't even malicious hacking by some super genius, just a software bug triggered accidently by a newbie.

 

 

[Liberty]

Security is so hard to get right... In good part because you usually can't have the best people in the world working on every single project, and because the best attackers in the world can pick their targets until they find a weak one (and they are a lot more numerous than whatever team you have working on security, and their incentives are probably bigger than yours for not screwing up).

[rkbabang]

Security is so hard to get right... In good part because you usually can't have the best people in the world working on every single project, and because the best attackers in the world can pick their targets until they find a weak one (and they are a lot more numerous than whatever team you have working on security, and their incentives are probably bigger than yours for not screwing up).

 

Which is why open source standard protocols are the way to go, so the best people can work on and audit the code.  If everyone is rolling their own some are going to be very bad.  The problem with that though, is if a bug does exist then everyone is vulnerable.  There are no easy solutions right now.  Security is tough.  If you have millions or hundreds of millions of dollars to protect, create a paper wallet with a new air-gapped computer which has never been connected to a network, print it on a printer which has never been connected to a network, do this in a concrete basement with no windows (physical glass or MS), destroy the computer's hard drive, then store the paper safely. 

 

[Liberty]

Kind of funny how the best practices in this digital world are to print something on paper...  :D

[rkbabang]

Kind of funny how the best practices in this digital world are to print something on paper...  :D

 

:(

 

It's still the early days though.  None of this has been sorted out yet.  I think this is just the tip of the iceberg. A lot of people are going to lose a lot of money due to carelessness and theft before the dust settles.  The people who take extreme measures won't.

 

[pau_]

It seems like a lot of the issues in Ethereum stem from giving developers a full (Turing complete) programming language to design contracts, instead of something more confined and straightforward. Making correct software is hard. You're giving people the equivalent of a chainsaw. Many of whom I suspect are amateurs who don't yet know CS and computer engineering fundamentals.

 

These aren't new problems; you can read decades of literature about testing software, proving software, dealing safely with transactions, etc. etc. The new thing is that it is totally democratized. I learned programming making some small-scale web apps. Now we have people learning by making things that can transact massive amounts of value on a blockchain.

 

Hopefully this will improve as higher-level tooling comes along (maybe a strongly typed language that compiles to solidity? property based testing?) and people with better fundamentals enter the field and incumbents learn lessons.

[doughishere]

oops!

 

"devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update"

 

"Gavin Woods, admitted today that a user calling themselves devops199 had "accidentally" triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods' own savings."

 

 

 

Paper wallets are still the safest.  I'd never hold millions of dollars in a software wallet.  This wasn't even malicious hacking by some super genius, just a software bug triggered accidently by a newbie.

 

 

dont worry theyre still learning