One of the infamous crypto incidents that sent shockwaves through the digital financial major landscape, around $162M Ether, was locked away/frozen in Parity digital wallets due to a code vulnerability in Parity wallet software.
Just like a bank vault without a key, the issue of frozen Ether has left countless crypto investors stranded.
But how did this happen? How do we address this frozen Ether issue and protect crypto assets? Let’s unravel the intricacies now. Keep reading to know more.
Understanding the Problem of Frozen Ether
In Ethereum smart contracts, various weaknesses can arise at different levels, including the blockchain itself, in the Ethereum Virtual Machine (EVM), or within the Solidity code. In that way, Ether getting locked away is a solidity-level issue.
Imagine putting money in a piggy bank but losing the key forever; that’s somewhat similar to what happens with the Frozen Ether.
When a contract lacks the function to return the Ether stored within it, the Ether becomes “frozen,” stuck within the contract, making it inaccessible for users.
In other words, when a smart contract accepts Ether but doesn’t allow users to withdraw it which means it essentially locks up the Ether within the contract indefinitely. Let’s have a look at the locked Ether vulnerability in the contract.
Example contract:
Here, the smart contract named “LockedEther” accepts Ether through a payable function but doesn’t provide any way for users to withdraw it. The Ether is added to the “lockedAmount” variable, which can’t be withdrawn or destroyed.
How the Ether is locked away in contracts?
The Frozen Ether vulnerability occurs in a few different ways:
Accidental Killing of Linked Contracts
Sometimes, a smart contract relies on another contract or a library to perform certain functions. If that linked contract gets destroyed either by mistake or intentionally, it can lock up the Ether within the main contract.
For example, if a library contract used for transferring Ether accidentally gets deleted, it can prevent the main contract from releasing the Ether stored in it.
Missing Code for Ether Movement
Smart contracts need specific code to allow users to withdraw Ether from them. If this code is missing or not implemented correctly, it can trap Ether inside the contract.
This happens when the contract doesn’t have statements like “call,” “send,” or “transfer” to move the Ether out of the contract. In simple terms, the contract accepts Ether but doesn’t know how to give it back.
If you see the above contract has a method with a payable directive in line#2 but lacks program paths to CALL, DELEGATECALL, or SELFDESTRUCT opcodes.
How to tackle the locked Ether vulnerability?
To prevent the Ether loss issue, the following can be taken into account,
- Implement Withdrawal Mechanisms that include functions like “transfer” or “send.”
- Perform rigorous testing and code audits to identify and rectify coding loopholes.A
- Balance inbound and outbound Ether traffic. The fallback function handles inbound traffic, whereas “call,” ”send,” and “transfer” handle outbound traffic.
Example Contract:
The above contract consists of a withdraw function that allows the contract owner to withdraw the ether. The withdraw function transfers the ether to the owner’s address. This way, the locking of the Ether is prevented.
End Note
One of the effective solutions to reinforce the security of your smart contracts and safeguard against the Frozen Ether problem is performing code audits from trusted security firms like QuillAudits. Our expertise in providing web3 cybersecurity solutions ensures your crypto assets remain accessible and secure.
Reach out to our website and live chat with our expert for further inquiries.
