Multisig Incident : What Happened?
Last week’s Multisig incident involved a little know vulnerability in Parity’s implementation of their Multi-Sig wallet that was exploited by some black-hat hackers. You can read a basic review of events here. Or, for a more detailed analysis, have a read here.
A few leading projects lost millions of dollars to the black-hat hackers. A large number of projects also had their funds hacked, but by white-hat hackers.
vDice Multisig Wallet was NOT affected.
Fortunately we were NOT using the Parity implementation. The base of vDice’s Multisig is the older wallet contract that the Ethereum Foundation itself is using for their funds. The code is here.
— Gav Would (@gavofyork) July 22, 2017
vDice NOT Affected
We chose an alternative implementation because it was the most widely used at the time, and it had been previously audited as well. We had it audited ourselves by New Alchemy back in Q4 of 2016. Having kept the Ethereum Foundation funds safe for a long time, we saw an additional guarantee (i.e it’s already a battle tested contract).
With respect to the above, such an incident must be take very seriously. If the best team in Ethereum (Parity) can make such an oversight, then we all really need to reassess.
Parity are still a great team. Arguably they are the best in Ethereum and blockchain technology generally. So, we are reminded that Solidity and Ethereum are very young technologies. In our opinion they are simply not quite ready to store significant amounts of value.
They only reason to use a Multisig contract would be if the fear of a Solidity compiler bug/error is higher than a single key compromise.
As a very relevant example, almost none of the main exchanges are using Multisig for their cold storage. Probably the uncertainty of the security of Solidity is a factor in their choice.
vDice has now made the same choice. Following the lead of key exchanges in the space, we will NOT be using Multisig wallets for the moment.
We will continue to monitor the code in the space, in this area, and keep everyone updated.