Security or Not, Ethereum's Soul Searching Isn't Over

(Bloomberg) -- There’s an existential debate raging among Ether advocates even after regulators stated that the second-biggest cryptocurrency shouldn’t be considered a security.

The discussion centers around whether users should be able to undo erroneous or faulty transactions, and if so, in which cases and who decides. Then there’s the broader question of how to decide on the answers in the first place. Thousands of software developers, miners and investors scattered across continents are struggling to sort this out, all while Ethereum continues to be the preferred platform for token sales raising billions of dollars.

What triggered the recent consternation was a software bug in some so-called digital wallets that froze about $150 million of funds in November. While the Ethereum community tries to figure out what to do about the still unattainable funds, the snafu has shone the spotlight on network governance.

“It gets a little complicated when you’re still working on a 747 that’s flying through the air,” said Griff Green, co-founder of blockchain-based charity platform Giveth, who has been involved in the governance debate. “So nobody’s making any strong pushes one way or another. The first step is to build some kind of signaling method so we can figure out what the consensus around a solution is.’’

What’s now known as the Parity hack stemmed from a change in multisignature wallet software implemented by Parity Technologies in early 2017 to drive down costs. The Parity team decided to put functionality that’s common to many smart contracts, including wallets, in a repository known as a library.

The rewriting of the code introduced vulnerabilities which were exploited in July, when a hacker stole about 150,000 Ether, and again in Nov. 7. The perpetrator of the second hack, who went by the pseudonym devops199, was able to delete the library, leaving 513,774.16 ether, valued at about $150 million at the time, locked inside 587 wallets. “I accidentally killed it,” he proclaimed. Blockchain network Polkadot, a Web3 Foundation project that Parity has been contracted to build, lost access to $90 million.

Ethereum’s Ether dropped almost 3 percent the day of the hack to as low as $290.80, but quickly recovered amid a bull run in cryptocurrency markets, soaring to as high as $1,299.70 in January. It has tumbled 70 percent from that high to around $433. Stuck funds are now valued at about $220 million.

Solutions being discussed go from broad enough to encompass a wide range of cases, to unlocking only funds affected in the Parity hack, to not doing anything at all.

In the broader alternative camp are Ethereum Improvement Proposal 156, made by Ethereum creator Vitalik Buterin in 2016, and EIP 867, which identify common classes of stuck funds and provide a standardized format for recovering them. EIP 999, proposed by Parity developers, would address only funds affected by the Parity hack, restoring the deleted smart contract library.

The Parity hack brought back memories from 2016, when attackers tried to steal about $50 million from a decentralized venture fund called The DAO. The community also had to decide whether to restore the funds. Most, but not all, in the Ethereum community were in favor of a bailout. The controversial move split the Ethereum blockchain in two.

Parity co-founder and Chief Executive Officer Jutta Steiner said in an interview the firm doesn’t want to push for a so-called hard fork, or split.

“We’re trying to work out a solution jointly,” Steiner said. “We have a very particular role because we write and implement the changes to the protocol. But the community is all coming together to work on signaling models, or voting models, to determine what people want going forward.”

The risk is undermining Ethereum governance legitimacy if it’s perceived that the decision was made without due process or enough participation from the community, Ethereum blockchain researcher Vlad Zamfir said in an e-mail.

For some, it’s already too late. Yanislav Malahov, who lost about 8,000 ether in the July hack, says he wouldn’t trust Parity again and is trying to build a better platform for smart contracts called Aeternity. “We’re going to start from scratch, incorporating all the latest research and very expensive lessons learned.”

As the debate rages on with a group of developers and researchers who call themselves Ethereum Magicians and a parallel governance initiative called EIP0 holding summits to discuss, it’s become clear affected wallet owners probably won’t see their funds for months, if they ever do.

Dan Phifer, co-founder of music sharing platform Musiconomi, said 16,475 Ether of the 17,648 he raised in an ICO last year are trapped in a Parity wallet because of the hack. He’s actively trying to find a solution -- he helped write EIP 867-- but he’s already looking for other funding alternatives to stay afloat.

“While we certainly haven’t given up hope that there will be a recovery, it’s pretty obvious that if there is a recovery, it isn’t going to be anytime soon,’’ Phifer said.

--With assistance from Olga Kharif.

To contact the reporter on this story: Camila Russo in New York at crusso15@bloomberg.net

To contact the editors responsible for this story: Michael P. Regan at mregan12@bloomberg.net, ;Jeremy Herron at jherron8@bloomberg.net, Dave Liedtka, Andrew Dunn

©2018 Bloomberg L.P.