The recent Parity wallet “freeze” provides yet another example of a coding vulnerability in a smart contract (rather than a flaw in the underlying blockchain or cryptography) resulting in an exploit that compromises cryptocurrency worth millions. It again highlights some of the pitfalls of insecure code in the context of digital assets and raises questions regarding the extent to which software developers can be held liable to its users for losses suffered due to those oversights. As blockchain-related software that serve as storage vaults for digital assets continue to proliferate, it will be interesting to see how industry standards and the existing software liability regime in the U.S. and other jurisdictions evolve to reflect the critical role of secure software in the “Internet of Value.”
The Parity Wallet “Freeze” Explained
Parity Technologies made available, on an open source basis, multi-signature software “wallets” that users could use to store the keys to Ether cryptocurrency, which are necessary to use Ether. Those multi-sig wallets were smart contracts built to run on the Ethereum blockchain and, unlike standard Parity “accounts” or other cryptocurrency wallets, required more than one digital signature (private key) before Ether associated with them are approved to be transferred.
On November 8, Parity Technologies announced that “devops199”, a user of the prominent web-based software development platform Github, had exploited a software vulnerability in Parity’s multi-sig wallets, resulting in Ether tied to over 500 multi-sig wallets, then valued at over $150 million, becoming completely unusable. Among impacted users were many high-profile blockchain startups that used Parity’s wallet platform to raise funds through initial coin offerings (ICOs). This marked the second time this year that Parity’s wallet software has been compromised, with the prior time being July 19, when hackers exploited another software bug to steal over $30 million in Ether.