The perils of a blockchain’s immutable transactions was brought home yesterday as some $30 million in ether was stolen due to a bug in the code of a well known ethereum wallet. It could have been worse: an additional $75 million was at risk because of the same coding fault, but a group of vigilante hackers rescued those funds and are promising to give them back to their owners.
The ether was grabbed from the wallets of at least three projects that had recently completed so-called “initial coin offerings” (ICOs). More worryingly for ICO boosters, the vigilante hackers—who call themselves “The White Hat Group“—saved funds from wallets belonging to some of the biggest coin offerings to date. The bug has now been fixed.
Those wallets required multiple people to sign off on transactions, which were supposed to make them more secure. They were favored by businesses over individual users for that reason. The bug could have been catastrophic, given the nearly $1.3 billion raised in ICOs during the first half of this year.
Even more galling: the theft came after $7 million was stolen from another ICO, called CoinDash, just days ago. That theft was enabled by a simple trick, rather than any issue with the wallet software or ethereum’s code: Hackers replaced the legitimate ethereum wallet address listed on the CoinDash website with one belonging to the hackers.
The $30 million heist is the latest embarrassing, and costly, episode caused by an ethereum coding snafu. The offending code had a single missing word, according to one longtime ethereum programmer, Christoph Jentzsch.
Jenzsch does indeed know the feeling. He wrote the code for the Decentralized Autonomous Organization (DAO), a project launched last April that was a progenitor to the current ICO craze. It was hugely successful, raising over $150 million with its promise to do away with traditional management structures and allow investors to directly dictate how the DAO would allocate its capital and resources. A coding error by Jenzsch meant that a savvy attacker managed to steal some $79 million of those funds. Not only that, it caused the ethereum network to fork, or split, in an attempt to rectify the theft. That’s why we have two versions of ethereum—ethereum and “ethereum classic”—today.
All software has bugs, but when that software is responsible for millions of dollars changing hands through immutable transactions, those coding errors become serious business. It’s one of the problems with trying to build an “unstoppable world computer“—the crux of the ethereum project.