Massive Ethereum breach spells opportunity for banks
November 13 2017
From American Banker
A collective “I told you so!” could be heard last week from the many bankers who have steered clear of cryptocurrency wallets.
A programmer messing around in the code of the digital currency wallet provider Parity Technologies killed a smart contract and vaporized between $150 million and $350 million of the digital currency Ether. The owners of the funds, many of them small businesses, are still waiting to find out if they’ll ever get their money back.
“We don’t support cryptocurrency payments so it wouldn’t affect us,” said Jason Witty, the chief information security officer at U.S. Bank. “Cryptocurrencies are inherently high-risk. By definition, there’s nothing backing cryptocurrency — there’s not a big financial institution or federal bank. It’s the strength of the encryption algorithm that creates a certain number of coins, the market starts trading coins, and that creates value because people are willing to pay for them.”
The volatility of bitcoin, for instance, which has risen in price from $450 to $7,000 this year, puts him off.
“It’s an inherently risky thing and an inherently distributed trust model,” Witty said. “Every wallet provider has their own level of security and level of thought they’ve put into the safety of the structure they run, and it varies widely by provider.”
However, if bankers don’t care today, they should in the future. Digital currency isn’t going away. The total market capitalization of the 900 digital currencies tracked by CoinMarketCap is $203 billion. That’s up from $154 billion in August. Not only are cryptocurrencies taking an ever-expanding role in the economy, but the uncertain security of digital wallets presents a lucrative opportunity for banks.
How Parity got hacked
A programmer who calls himself or herself “devops199” — no one seems to know this person’s real-life identity, though a parody Twitter account and T-shirt are already out there — broke into Parity’s code. The person took advantage of a flaw in the code that Parity’s developers inadvertently created when fixing a bug in July (when a hacker exploited the bug to steal $30 million of Ether). devops199 assumed ownership of a smart contract governing all digital wallets created on Parity after July 20. Then devops199 killed the contract, making the funds inaccessible to their rightful owners.
Parity is trying to come up with a fix that will unlock the ether for the victims of this breach.
David Mondrus, a cryptocurrency expert, the first person to be married on the blockchain and the CEO of Trive, a company developing software that uses crowdsourcing to verify news stories, said there are two prevailing theories about devops199’s motive.
One is that this was an innocent mistake. In a social media thread, devops199 called it an accident and wrote “i’m eth newbie … just learning.”
“One school of thought says we believe him, he’s just some kid playing with Ethereum, he was doing it on a production network instead of a test network, he made a mistake, he oopsed and wiped out $300 million of value,” Mondrus said. “There have been many oopses in the past where someone pushed the wrong button and something catastrophic happened.”
The second hypothesis is that devops199 was trying to steal the money. “That is backed up by some forensic evidence that says before he oopsed the contract, he was trying to transfer the money,” Mondrus said. “So first he tried transferring, then he tried changing ownership, then he tried to suicide the contract. The first two didn’t work; the third one worked — boom.”
Chris DeRose, community director of the Counterparty Foundation and lead organizer of the South Florida Bitcoin Group, said devops199 wanted to “master the field — if he can do so in very little time, it substantiates his competency, both to others, as well as himself.”
DeRose also suggested the person might be motivated by greed or schadenfreude.
“Ethereum isn’t a particularly impressive project from a tech perspective, and specialists generally know that,” he said. “So when contracts are easily low hanging fruit to attack, specialists will attack it for the fun of it. And really, I respect that, as such demonstrations do educate the community and improve the security of its projects.”
One reason Parity’s smart contracts were vulnerable was that they’re written in Ethereum, which is a young language.
“The issue with new languages is they’re hard to write,” Mondrus said. “What we’re experiencing now are growing pains. Ethereum is only 2 years old. It’s important to pay attention and not put all your eggs in one basket.” This is a veiled reference to Polkadot, a provider of blockchain interoperability software and a Parity customer. Polkadot has a reported $98 million of ether frozen due to the breach.
Mondrus pointed to Vinny Lingham, CEO of CivicKey, which is building a global decentralized identity platform.
“He had a very successful [initial coin offering] this year, raised $30 million, and he diversified 95% of his funds away from crypto and moved it into an asset-allocated basket of securities, equities, debt and cash. That’s a responsible thing to do as the CEO of a company that’s given its word to its investors and employees. Don’t leave all your eggs in one basket. Don’t put everything in the same account.”
Yet most digital wallets are pretty safe, according to DeRose.
The problem that crops up most often with digital currency wallets is user error — users forgetting, deleting or misplacing their passwords.
The opportunity for banks
This digital currency wallet password problem presents a business opportunity for financial institutions.
Banks could offer custodial services through which they hold cryptocurrency account keys for customers — basically digital safe deposit boxes for digital currency keys and passwords.
“Banks can figure out a solution to this problem,” Mondrus said. “There are a lot of really smart people in these institutions. There’s an absolute need for key management.”
And banks have put so much effort and so many resources behind cybersecurity, this is where they can shine, he said.
“Banks have been subject to attacks by every hacker on the planet for the last 30 years,” Mondrus said. “Every hacker that wants money goes after banks. Security is one of the things they do well. I cannot believe over the last three years they have not tried to take the lead. Saying this is not where they want to play is putting blindfolds on.”
They could also sell digital currency through ATMs.
“There’s no reason why JPMorgan Chase, Bank of America, Wells Fargo and the other large banks can’t sell crypto through machines,” Mondrus said. “Why not? Long term, I think that’s the way we’re going to go.”
Editor at Large Penny Crosman welcomes feedback at [email protected]