On Wednesday, July 19, a panic spread through the young, hyper-connected community that has sprung up around the two-year-old computing platform known as Ethereum. Parity Wallet, a service that allows people to store Ethereum’s digital currency, Ether, had been attacked. Within hours, the hacker or hacker group stole $32 million worth of Ether.
The hack made a lot of people look bad. The theft not only hit a company that was highly trusted, it also targeted a type of wallet that was supposed to be extremely safe. The wallet was also created by Gavin Wood, one of Ethereum’s co-founders and the author of Solidity, the Ethereum coding language.
The attack was more fodder for critics who argue that the much-hyped Ethereum ecosystem is essentially a playground for hackers, complete with what amount to babies just asking to have their candy taken away. “If the creator of Solidity, Gavin Wood, cannot write a secure multisig wallet in Solidity,” Charlie Lee, the creator of the cryptocurrency Litecoin, wrote on Twitter, “pretty much confirms Ethereum is hacker paradise.”
Ethereum is a technology based on the same concept as Bitcoin — it uses a blockchain, or distributed ledger, to record transactions — but it promises to be something much larger than a cryptocurrency. Its proponents say that Ethereum is a way to automate software systems that currently require a lot of manual oversight, while simultaneously creating a global network of distributed computing power that will one day be comparable to the internet. In the future, regular folks could theoretically use apps built on the Ethereum blockchain to book a place to stay, take a taxi, and prove ownership of property, without the need for intermediaries like Airbnb, Uber, banks, or lawyers.
This vision may be too utopian to come true. But there are some powerful players that believe Ethereum has practical applications, and their endorsement of Ethereum came much faster than it did for Bitcoin. As of this writing, 150 companies including Accenture, Intel, J.P. Morgan, Mastercard, and Microsoft had joined the Enterprise Ethereum Alliance, a group of corporations interested in using the technology for business. The market cap for Ether as of this writing was $18 billion.
“It was a really simple two-stage attack that should not have happened.”
But Ethereum is experiencing growing pains. Ether is having wild price fluctuations due to speculation from amateur investors, which discourages its use as a functional currency. There is no must-have or “killer” app for Ethereum yet, and there is a dearth of programmers working on creating one. Last but not least, Ethereum users seem to keep getting hacked.
Days before the Parity Wallet attack, hackers stole $7 million in Ether from users attempting to invest in an Israeli-based startup called CoinDash. Days after the Parity Wallet attack, hackers stole $8.4 million in Ether from users trying to back a new cryptocurrency startup called Veritaseum. At the end of June, hackers nabbed around $300,000 from users of a service called Classic Ether Wallet. In June of last year, hackers made off with $50 million worth of Ether from a service called the Decentralized Autonomous Organization or DAO, forcing a massive code change to the Ethereum platform to correct it. And the hacker or hackers will probably never get caught.
Konstantinos Karagiannis, the CTO for security consulting at BT Americas, is one of the few security researchers who specializes in auditing Ethereum apps. He gets paid to proactively hack financial software so that Fortune 500 companies can secure their tech against attackers. So many of his clients were interested in Ethereum that he started reviewing applications written in Solidity.
We're in the infancy of a new service/field/practice with Solidity hacking. Think attending a talk on web app hacking circa 2000— Konstant Karagiannis (@KonstantHacker) July 28, 2017
The Parity Wallet hack was shockingly basic, he told The Outline. “It turns out that the creator [of the wallet] left out a very important word,” Karagiannis said. “And that one little word was the word ‘internal.’ When you don’t make that declaration, the program will accept what are called messages from an external source. So because he left that simple declaration off, attackers were able to craft a very simple message that told the wallet, ‘Hey, you belong to me now.’ Really simple. After that was done, they were then able to do an execute command that then told the wallet, ‘And, by the way, I’d like that money sent here.’ So it was a really simple two-stage attack that should not have happened.”
Karagiannis, like most people building careers around Ethereum, was actually optimistic about the implications of this latest hack. For one thing, anonymous vigilantes calling themselves the White Hat Group intervened, stealing Ether out of wallets before the hackers could get to it. Later, this group transferred the Ether back to its owners, saving about $200 million from being stolen, he said.
Hacks are also a very effective way to get the community to take security seriously, he said. “I feel like it lights a fire for everyone to do a better job, to put more checks in place, to also be able to respond to things quicker,” he said.
Karagiannis gave a talk at the hacker convention Def Con about the most common Solidity coding mistakes. Teaching security researchers how to evaluate the security of Ethereum apps is a critical step in protecting the ecosystem, he said, and he’s seeing an uptick in interest from ethical hackers hoping to add Ethereum audits to their list of services.
Even so, Ethereum users will probably keep getting hacked for a while.