It was announced that blockchain security firm Trail of Bits was selected by Parity Technologies to secure their Ethereum client. The security company will begin by auditing their codebase, with the team stating they “look forward to publishing results and the knowledge we gained in the future.”
Parity Technologies combines cryptography, cellular systems, peer-to-peer technology and decentralized consensus to solve the problems that have gone unaddressed by conventional server-client architecture. Their Ethereum client is designed for foundational use in enterprise environments, so businesses and organizations can capitalize on the new opportunities blockchain technology presents.
Parity selected Trail of Bits for several reasons:
– Expert staff brings decades of security knowledge to the field of smart contracts, deep experience with Rust and Solidity, and rapid command of the latest developments in Ethereum security.
– The Trail of Bits team can dig deeper into the construction of smart contracts, the security implications of the Solidity language, and the Ethereum Virtual Machine (EVM) than any other team because of its proprietary tools such as Manticore, Ethersplay, Slither, and Echidna.
– Finally, Parity was attracted to the interest for jointly publishing discoveries in its audit, and possibly even educational material for the benefit of the broader blockchain community.
Over the next few weeks, Trail of Bits will audit the beta branch of Parity and the corresponding jsonrpc library. They will review Parity’s key generation and storage, RPCs that use private keys and are responsible for permissions, and an assortment of smart contracts. Once the report is made public, Trail of Bits plans to write about the lessons learned along with the results.
Last summer, the Parity Technologies Ethereum client was hacked with $32 million worth of ETH stolen. Then, following the fix for the original multi-sig issue that had been exploited for the $32m worth of ETH, a new version of the Parity Wallet library contract was deployed on 20th of July. However that code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWalletfunction. This issue was triggered accidentally on the 6th of Nov 2017 and subsequently, a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.