Still freezing? Ethereum Parity wallet vulnerability still exists, no easy solution yet

It’s been three weeks since $160 million worth of Ethereum was frozen on the Parity Ethereum wallet, and there’s still no solution to release those funds. However, that’s not to say there aren’t discussions about returning the Ethereum to its rightful owners.

As time went on, there was a growing debate on public chat channels about how best to resolve the issue, particularly how to implement a network-wide fix without rolling back the entire history of the ethereum blockchain.

There has been noticeable activity in a public channel hosted on GitHub that was created by the ethereum development team to discuss proposals for smart contract deadlocks. (Such asset losses occur with some frequency, such as when users send funds to a non-existent wallet.)

But the discussion around the Parity incident is different, in part because of the scope of the funds lost and the politics inherent in the decision.

As happened with last year’s infamous DAO hack, the incident has fueled a debate about whether Ethereum is too centralized and whether its blockchain is truly immutable (meaning that all transactions cannot be tampered with).

This is mainly because, in response to the DAO, Ethereum stakeholders rewrote and approved a rewrite of blockchain history, a move that sparked controversy and criticism, and even spawned another alternative blockchain, Ethereum Classic, which is now worth $1.7 billion.

Although Parity developers have rethought how to address this difficulty, there have been some changes in their thinking as to whether this is the best way to deal with a large-scale hack.

As a special voice on the recovery channel said:

“If the Ethereum Foundation needs to do a hard fork every three to twelve months to move funds around, then we are using the Ethereum bank.”

Unlike the DAO incident

However, while the political tensions are reminiscent of the DAO incident, there are some key differences between the two attacks. The difference is that in the DAO incident, funds were stolen, while the Parity wallet was frozen due to a security breach.

While there are conspiracy theories about whether Parity developers acted maliciously — accidentally deleting the codebase in the process of stealing funds — the fact that the affected ETH was not integrated into a wallet changes the view on whether the technology was malicious.

In particular, there will be no rollback on the Ethereum blockchain.

As Ethereum developer Nick Johnston wrote in response to the channel dispute: “Why do you think lost funds must be recovered in a timely manner? I had my bicycle stolen and now it is back, not lost.”

Instead, the proposed Ethereum update involves changes to existing Ethereum Improvement Protocols (EIPs) to prevent frozen ETH on a larger scale. In short, developers are trying to take a broader approach to the problem.

But while developers are focused on improving the security of the Ethereum network as much as possible, none of the solutions discussed so far appear to have reached consensus.

Imperfect Choice

For example, the existing Ethereum Improvement Protocol EIP156 could be modified to refund some Parity wallet losses by adding a new rule to the software.

Created by Ethereum founder Vitalik Buterin last October, EIP156 is named “Saving Ethereum from Frozen Accounts.” However, despite the promising name, developers are not convinced that it fully matches the current Parity problem.

EIP 156 allows funds to be recovered, giving owners of lost ETH the possibility to mathematically prove they are the rightful owners. However, it only applies to funds that are not running code or empty smart contracts, and cannot save Parity wallets that still have the relevant frozen code.

Although the EIP 156 protocol could be extended to address the current issues, such a fix is ​​not yet perfect.

According to Ethereum security lead Martin Holst Swende, Parity refunds could be hardcoded into EIP 156, which would facilitate a one-time return of funds. However, refunds would not apply to ICO tokens affected by the hack.

And due to a flaw in the code, the wallets, once recovered, would not be returned to their original owners – instead, they would automatically go to the technology’s “creators.”

Hailed as one of the more “beautiful” solutions discussed on the recovery thread is tokenizing lost assets, similar to the credit tokens Bitfinex distributed after its $60 million hack last year.

The idea was inspired by EIP 156 itself, which creates a token that the owner of lost funds can use to prove their ownership. This would allow traders to speculate on the amount of funds released, and according to Holst Swende, it could allow those affected by the Parity hack to win back their funds before the underlying code is fixed.

Likewise, Holst Swende speculated that perhaps this type of token could be used as a voting mechanism to discover whether the community actually wants a core wallet upgrade.

Parity official proposal

While it may be up to the UK-based Parity to define the proposal regarding lost funds, it rarely appears on the channel, though this may not be a reflection of the company’s work behind the scenes.

In response to a query, a representative said discussions would likely take place soon.

It’s unclear whether conversations among other ethereum community members influenced Parity’s proposal, but representative Afri Schoedon wrote yesterday asking for a summary of the discussion, noting:

“Parity may discuss the proposal this week, but I’d like to know about any other proposals.”

According to rumors, a Parity member is working on a fix that would require changes to the Ethereum Virtual Machine (EVM) to instruct lost wallets “not to self-destruct.”

While unconfirmed, the proposal has become a point of contention for Johnston, who told CoinDesk it would “change an important invariant” in the EVM, leading to “unexpected bugs in contracts that have already been deployed.”

However, Afri Schoedon assured that Parity intends to provide “more than one proposal” and defer to let the community decide “which one is acceptable or desired.”

“We’ll probably add two or three of our own proposals,” he told CoinDesk.