Since the Parity wallet bug was first reported on Tuesday, we have encountered a lot of conflicting information regarding the size and scope of the issue.
Some sources have reported as much as $300m worth of ether had been lost, while others have quoted a lower number of $150m. As for the number of wallets affected, a Google Docs spreadsheet that's been making the rounds shows a total of 151 wallets. However, Parity's own website shows the impact to be much larger with 584 wallets affected.
Even more importantly, we've seen little to no information at all regarding the organizations who own these wallets. And if you're not sure why that matters, consider the chart below.
Many of these wallets belong to companies that raised the money via an ICO. If that money is gone, it's not just a problem for the company. It's a problem for everyone who owns its tokens.
Based on our data, here is our assessment of the situation. We look at the magnitude of the impact and the list of companies/ICOs affected.
On November 6th (last Monday), an Ethereum developer "accidentally" triggered a bug, wiping out a library of code that Parity’s multi-sig wallets depend on. With the code deleted, the ether sitting inside those wallets is for all intents and purposes unreachable.
The developer, who goes by the now-infamous handle @devops199, is not affiliated with Parity and his Github account has since been deleted.
@devops199 comes clean on Parity's Gitter
For a full explanation of how the breach happened, here is a great explainer by Comaelo's Matt Suiche.
What is the impact?
We count 598 affected wallets with a combined balance of 514k ETH, valued at $156 million based on an ETH price of $304.
The script we used to reach these figures is posted here. Essentially, these are its steps:
Loop through every smart contract deployed on Ethereum since July 20. This is the date that the code library in question was created, so any smart contracts that rely on it would necessarily have been deployed after this date.
Identify the affected wallets by looking for the string "863df6bfa4469f3ead0be8f9f2aae51c91a907b4" somewhere in the body of the smart contract initialization code. This string is the address of Parity's code library and it is hard-coded into their wallets.
Affected wallets are identifiable by the presence of the string "863df6bfa4469f3ead0be8f9f2aae51c91a907b4" in their initialization code
- To determine how much ether was lost, we looped through each of the affected wallets and grabbed its current balance using the JSON RPC API.
You can find the code for this script and the full list of affected addresses here.
As stated above, we count 598 affected wallets. But the damage is not nearly as widespread as that number would imply. 496 of the wallets are empty (balance of < 1 ether). And of the remainder, the loss is heavily concentrated in a few large wallets.
Most notably, 60% of the entire loss ($93m of the $156m total) comes from a single wallet belonging to the Web3 Foundation, an organization closely affiliated with Parity itself. The funds had just been raised a few weeks ago in the ICO for the Foundation's new multichain project Polkadot.
More below on which ICOs are affected.
Why is there such a large discrepancy in the loss numbers being reported?
In contrast to our loss estimate of $156m, many sources have reported a much higher figure, in the ballpark of $300m. These reports all appear to trace back to a single tweet from Patrick McCorry, a blockchain researcher at University College London, in which he estimates a total loss of $278m.
Shortly after sending out the tweet, McCorry found an error in the calculation and posted a correction, revising the figure down to $154m. That amount was also independently verified on Parity's own Gitter chat. Yet, the inflated number has continued surfacing in the news, as recently as earlier today.
Which ICOs are affected?
The graphic below displays every affected wallet with a balance of at least 33 ETH (about $10,000). Our data shows 16 of these wallets to be associated with an ICO fundraising.
Click on a circle to view contract details in Etherscan
Note: Ownership of these wallets has not been verified with the companies. The associations are our own estimations based on the data we've collected.
ICOs impacted by the wallet freeze
- Polkadot: 306,276 ETH ($93.1m)
- ICONOMI: 114,939 ETH ($34.9m)
- Centrality: 21,704 ETH ($6.6m)
- Musiconomi: 16,476 ETH ($5m)
- Hedge Token: 4,525 ETH ($1.4m)
- Moeda: 4,361 ETH ($1.3m)
- Wysker: 1,577 ETH ($479k)
- Viewly: 1,400 ETH ($426k)
- Fluence: 1,376 ETH ($418k)
- Live Stars: 672 ETH ($204k)
- IMMLA: 600 ETH ($182k)
- Silent Notary: 286 ETH ($87k)
- Mirocana: 285 ETH ($87k)
- DAO.Casino: 150 ETH ($46k)
- Fiinu: 145 ETH ($44k)
- Jincor: 58 ETH ($18k)
598 wallets are impacted, but only 60 of those wallets have a balance greater than $10,000 (those shown in the graphic above).
The total loss is 514k ETH / $156 million, not $300 million, as many news stories are reporting.
The biggest loser in all of this is Parity itself. They own the $93 million wallet, which represents 60% of the entire loss.
At least 16 of the affected wallets are associated with companies that have raised money via an ICO.
In these 16 cases, it is not only the companies who are affected. Their token holders are affected as well.
Blockchains are not designed to be read by humans. Enter Elementus. We want to make the crypto-universe a more transparent place, and help identify vulnerabilities like this one before they become problems.
Want to contribute or have an idea to toss around? We'd love to hear from you.