Chronobank - New Parity multisig bug. Why ChronoWallet is safer.
ChronoBank’s totally new multi-sig implementation will be reserved for TIME holders.
‘I accidentally killed it.’ This was the comment of the dev who claimed his ineptitude had caused a major headache for Parity users.
Stating he was an Ethereum newbie, ‘devops199’ told Parity developers in a public chat room that he had been tinkering with various commands and had inadvertently called a transaction that had frozen half a million ETH in multi-sig wallets. He later admitted he had been researching the previous multi-sig vulnerability which came to light in July this year, in which an attacker had been able to exploit Parity’s contract and steal 150,000 ETH, with a market value of around $30 million.
The irony will not be lost on readers. The first exploit allowed too many people access to a supposedly secure multi-sig contract. The second meant that no one could access the funds held in their multi-sig wallets. Whilst the second exploit effectively solves the problem of unauthorised access of funds, it will come as a rather unwelcome shock to a lot of Ether holders. This time, $150 million of virtual currency has been affected, giving the episode the unenviable distinction of being the largest loss of ETH that has ever occurred, more even than The DAO hack.
The problem affects all wallets created after 20 July, when the previous bug was patched. You can find out more about exactly how the issue arose in this blog post. The short version is that the ‘user’ (we’ll charitably assume this wasn’t deliberate for now) took possession of the contract and then ‘suicided’ it.
‘The user basically called the initWallet function on the above given contract and then became the owner of the contract himself. Once the user acquired ownership, he killed the contract (a.k.a. suicide). The user could call the initWallet function and become the owner of the contract because it was not initialized and the variable only_uninitialized was not set. When a new multi-sig wallet (which is technically a contract) is deployed, the code that is present in Parity’s Github is essentially used as a template for the smart contract. The multi-sig wallet that is deployed, calls the contract address mentioned above using the delegateCall function. Since this contract is nuked, the multi-sig wallet have become unusable as all their logic was dependent on the library contract. Essentially, no funds that are residing in the multi-sig wallet can be transferred out.’
For the less Ethereum-savvy, suffice to say that a lot of people are rather upset about being forcibly converted to the status of long-term and possibly permanent holder. You can read Parity’s update about it here, but it doesn’t look too promising.
ChronoBank’s multisig wallet
Secure multisig is a huge deal for any Ethereum wallet, and — as this episode highlights — the financial and reputational costs of getting it wrong can be immense. ChronoBank has been developing its own multi-sig contracts for several months now. We have tested these internally, subjected them to rigorous professional security audits, and released them to the community for further testing. Our multisig implementation is completely new and does not rely on any of Parity’s code, and we believe it is the most secure available on the market. We have also worked hard on our UX, and believe it is the most user friendly.
By the end of this month, our multisig feature will be available only to TIME holders. You will need a small amount of the TIME token, which will be locked in a contract to access multisig functionality. We think this is a great way to make the secure wallet more widely available, whilst also benefiting the community. We hope you will all try it out!
For all latest updates:
TIME is trading on the following exchanges: https://coinmarketcap.com/asse...
It is also available via Changelly service.