If you’ve done any reading on Bitcoin, you’ve likely come across articles about how to protect your cryptocurrency and how to ensure that whatever wallet solution you happen to lose can help keep your Bitcoin safe. There’s a reason for that. Hacks happen. Maybe one of the worst hacks comes with the tragic story of the Parity multisig wallet. Easily one of the most frustrating sidebars in the history of this cryptocurrency, it demonstrates the need for better security in a way few others things could, and those involved are unlikely to forget this tragedy in the near future. Understanding exactly what happened and how to prevent it in the future is a must for those interested in Bitcoin.
The story begins with an understanding of a multisig wallet. Bitcoin exchanges require one user to send another the public and private key behind the Bitcoin. Bitcoin is typically stored in a wallet. Many people are interested in pooling their crypto assets, and to do so, a multisig wallet is required. These are smart-contracts that were created to manage the assets of multiple wallet owners at any one time. The wallets allow the owners to set withdrawal limits, vote on any withdrawals that needed to occur, and vote for any ownership changes. These can enhance security protocol, and owners have to have multiple signatures to move funds out of the wallet. Most who use them are startups and other corporations or groups with a number of asset holders. Multisig wallets could safeguard against hackers and rogue business partners who might want to take off with the money involved.
In 2016, Gavin Wood formed Parity Technologies, which, among other things, offer the Parity wallet which was designed to offer a multisig wallet option that integrated seamlessly with standard tokens and managed Ether transfers. Compatible with all major operating systems, it was an incredibly popular choice. Unfortunately, an attack left those with this wallet absolutely devastated.
Understanding How it Happened
Multisig wallets are given to users as a source code. If someone wants one, they take the code out of a library, deploy the smart contract on the involved blockchain, name the owners, and set the funds inside. Each multisig wallet has its own bit of that cod. In the case of Parity, the code was placed in a library. Unbeknownst to Parity, were the library broken in some way, every contract that depended on it would be affected.
In early November of 2017, that’s exactly what happened. The library itself became a Parity multisig wallet, and an attacker claimed ownership rights of the library. Every deployed dependent contract inside (ie: all of those multisig wallets), became useless, and the attacker killed the entire library. The attacker even worked to change owner lists and withdraw all of the funds inside. It is estimated that 151 wallets were frozen in the process, containing a total of $152 million. More than 573 total wallets were affected in the process, but Parity didn’t release a total balance.
Lessons Learned
As you can likely imagine, sheer panic took hold when the Parity multisig wallet attack occurred. There was no relief in the code, and to this day, while the cryptocurrency involved can’t be moved by anyone, it can’t be claimed by its owners, either. The only hope lies in a hard fork of Ethereum, but not everyone supports this option. Unofficial polls on Twitter have shown about a 50/50 split, and given that $154 million is at stake, it’s not hard to see why there’s so much apprehension. Nearly all involved assured users that the assets were secure, yet frozen, which did little to calm those who wanted access to the assets involved.
Today, multisig wallets are at least slightly more secure thanks to the attack. It was suggested a complete newbie accidentally caused the entire situation, but that does little to reassure those who were involved. While the technology is (obviously) getting better, there are still concerns. In one January 2020 study, an analysis of multisig wallets found extensive security issues, still, and potential attacks to come because the security problems that initially caused the Parity attack still exist in smart contracts today. Fortunately, many involved in the industry are doing enough research to come up with a secure smart contract solution that will work for all involved. Smart contracts aren’t out, you just have to be extraordinarily careful.
Personal Protections
If you’re looking for a safe individual wallet solution, there are a few things that you can do to keep trouble at bay. Start by storing your tokens offline in a hardware wallet or even a paper wallet. You may also want to go one step further and secure that in a locked safe when you’re not using it. You may also want to limit the cryptocurrency that you hold at exchange to what you actually need for exchange purposes. Moreover, using trusted bookmarks to access those exchanges and wallets is an absolute must. Multiple passphrases on a hardware wallet can help, too, as can multifactor authentication. If you can, you may also want to do what’s possible to limit your public exposure. You certainly should never discuss your holdings in a public forum. Finally, double check the address when you’re providing it so you’ll know that you’re working to become part of the solution.
Cryptocurrency problems happen. The Parity multisig wallet is just one example of the hundreds of high-profile attack problems that have occurred over the last several years. Your best bet if you’re interested in the world of Bitcoin or other cryptocurrencies is to do what you can to safeguard all of your funds and assets. That is the only way to significantly reduce the chance of potential losses while actually enjoying what cryptocurrency has to offer you. The trade-off is well worth it, and over time, the knowledge to prevent any potential hacks will be there so thieves can be tracked and hacks can be completely prevented.