Hacker News new | past | comments | ask | show | jobs | submit login

This wasn't a third party wallet actually. It is the local Parity wallet and node. What this was, was a bug in the multisig contract that Parity would give you to deploy. So it is a contract you personally deploy onto the ethereum network and then interact with. You do own it, you own the private keys for the address, etc.

But the bug allowed any other address to add themselves as owners and withdraw from it.

Luckily not many people used it and the white hat was able to claim all the rest before anyone else.




Exactly, you are deploying code to the cloud that you didn't write and trusting it with your money.

So many things wrong about that, it's the cryptocurrency equivalent of installing random software packages on your critical servers.


actually the best practice is not writing your own code and using thoroughly audited industry standards. Writing your own smart contracts for things that other people have already done and secured is akin to rolling out your own cryptography. Obviously, just like it's happened with openssl in the cryptography equivalency, this can also go wrong, but it's less likely.

If you write your own you should get your code audited by a specialist, or many, before deploying.


https://github.com/paritytech/parity

About Parity

Parity's goal is to be the fastest, lightest, and most secure Ethereum client. We are developing Parity using the sophisticated and cutting-edge Rust programming language. Parity is licensed under the GPLv3, and can be used for all your Ethereum needs.

Parity comes with a built-in wallet.

How is this not a third-party wallet? They say right on the page that they're trying to be the best implementation of Ethereum. That means they're not the core implementation, right?


You compared it to Mt Gox, which is where the confusion is coming from. With an online service like Mt Gox you don't have control of the coins at all.

I have no issue using an open source implementation of something. You haven't explained why that's an issue.


Whether it's an online service or a local wallet with an embedded buggy smart contract, your coins are just as gone. If you're perfectly happy to use it, you're perfectly happy to lose everything.

How many millions need to be lost before this lesson is learned?


Again, you haven't made any case for not using open source third party software. The other other example you've come up with was a close source proprietary internet service.

Very few people, for instance, use the official Bitcoin Core wallet.


I believe there have been scam wallet implementations for BTC in the past, though I don't have any info.

They're your coins. Throw them off a bridge if you want. Meanwhile, people who stick with core tech have been burned zero times.

Why does the obsession with shiny new convenient thing outweigh people's good sense not to risk thousands or hundreds of thousands of dollars? If that amount of money were printed out in front of you, you'd take extreme measures to protect it. "Don't use an un-audited third party piece of software that controls the fate of your life savings" is the most basic step.

It occurs to me that you might be arguing against this because you have a large sum stored in some third-party tech. If that's the case, I urge you to snap out of it and transfer your coins somewhere safe immediately.

I say "snap out of it" because that's the phrasing I would've used with myself, right before I lost money in Mt Gox. The only reason that happened is because I never stopped to ask myself "Is this a good idea?"


Just a couple months ago geth clients were crashing due to a memory overload, the fix? Use parity until geth was patched.

Using core implementations is no guaruntee that you won't get burned. The only difference between official software and third party open source software is the dev team behind it. The official devs can make mostakes just like anyone else.


So you use the Bitcoin Core wallet do you?

You've veered away from your original statement towards one that I don't disagree with. Of course you shouldn't just trust any software you find on the internet. That's not the same as "only trust Ethereum core". Slandering "third party" as if that has any meaning is silly. You should treat everything on its individual merits, including the Ethereum reference wallet.


My argument has remained the same. The Ethereum reference wallet is by far the most vetted wallet. Use that. (And yes, I use the Bitcoin Core wallet.)

If you used Parity because it has 1,700 stars on Github and was written in Rust, you're doing it wrong. Stop. You can't assess merit based on what everyone else is doing. The only hope in a situation where you don't know what you don't know is to stick with fundamentals. And even then you could still get burned. But that hasn't happened yet, which is why it's the least risky move.

It will take at least a decade for the cryptocurrency ecosystem to stabilize. Why risk anything when you don't have to? Arguing "I don't use the Bitcoin Core wallet because it's less convenient" is exactly that: an unnecessary risk. If you're set on jumping into this world, at least do it safely.


Parity is one of the core Ethereum clients, it is vetted just as much as geth is. The code that has this mistake was written by Ethereum co-founder Gavin Wood, in Ethereum's programming language called Solidity which was made by Gavin Wood as well.

I know you got burned in MtGox, but this has nothing to do with third parties or storing assets in some insecure manner. This is a fundamental issue with Ethereum and its community.

If you want to be safe, don't buy an asset that's being protected by a couple of young and naieve idealists that just care about putting their ideas on the market.


If being highly vetted is your main heuristic for safety, then isn't popularity (large number of github stars) directly correlated with that?


popularity does not correspond to vetting (see the recent parity multisig vulnerability), and highly reviewed software is not necessarily popular (how many people know about libsecp256k1?).


>Slandering "third party" as if that has any meaning is silly

This feels like a good opportunity to point out that a big part of decentralized infrastructure is that there isn't a 'First Party'


Are you saying everyone needs to write their wallet from scratch?


re: sillysaurus3, the "core" wallet is possibly even worse than parity. Why wouldn't you be as safe using the most popular one with the most eyeballs?

If someone steals your coins from the "core" wallet, they're just as gone, correct?

The real moral, as always, is don't keep wealth in a crypto-currency. You'll lose it and have no recourse.


No... Just the opposite.

Stick with core tech. If it's not core, don't use it. It's as simple as that.


Why do you think the core tech is going to be less buggy then the popular tech? One would think the most used wallets are going to be the ones that find the bugs earlier.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: