This is why we need more IT auditors

Wim Maas

The need for competent IT auditors became clear once again. Two weeks ago a self-proclaimed “newbie” Ethereum developer accidentally locked up around $168 million in strangers’ Ether funds never to be accessed again. The user called devops199 seemed to have exploited a bug in a smart contract running the so-called multi-sig wallets of Parity technologies.

On November 7 this came to light when devops199 himself opened an issue on Parity’s github called “anyone can kill your contract” in which he posted a comment saying he killed the contract. Apparently he managed to have made himself the owner of the contract giving him permissions to take such an action as locking up the funds forever.

One day after the incident Parity issued a security alert, saying it is “investigating the situation and are exploring all possible implications and solutions” and this week Parity published a full account of their investigation. The exploit appears to have been possible due to two unnecessary functions in the smart contract.

First, it let anyone become the owner of the contract by having a function called ‘initWallet’. Moreover it contained a ‘kill’ function which was a legacy function in the contract that is basically copy-pasted from the original multi-sig wallet code that was created by the Ethereum Foundation’s DEV team, Parity Technologies and others in the community.

It is not the first time Parity’s multi-sig wallets are in the news for badly written smart contracts. In July this year a hacker managed to walk away with $30 million in funds after exploiting a different but similar bug/exploit.

On the question whether the smart contract was audited Parity stated that “there was no formal audit”, but “the contract had received many reviews internally and externally” after the July attack.

The victim and the perpretrator

It is among news like this that more and more parties are calling for the need for general standards for smart contracts. Innocent people are the victim of incidents like this and it is hard to determine who is to blame for this loss of funds. It is apparent that incidents like this indicate the need for more close reviewing of contracts before opening them to public use.

“(…)the future auditor should know their programming languages.”

FunFair founder Jez San Obe made a statement saying that “it emphasizes what we already knew, that writing smart contracts is hard and that we’re still learning best practices and the chance to introduce bugs is still present.”

Now, apart from hacks and mistakes, as the Parity example shows, smart contracts might also operate in a way that the user does not expect. We have not seen many cases yet of smart contracts which are coded with malicious intent, but in the current hype around blockchain projects it cannot be ruled out that ignorant users might get scammed at a massive scale as we have seen in many ICO’s.

Conclusion for auditors

It should not be long before regulators will recognize the need for smart contract standards and compliance will be mandatory. Investor protection might even require non-audited smart contracts to be banned entirely in the future.

The shift from the traditional business to the digital or even decentralised and autonomous organisation will require entirely different audit procedures. I believe that it is imperative for the accounting and auditing sector to stay up-to-date with technology. Most audit procedures will be IT audit procedures and the future auditor should know their programming languages. IT auditors are needed.

Leave a Reply

Your email address will not be published. Required fields are marked *