By Level K, the Ethereum Smart contract and dApp developer recently discovered the existence of a vulnerability within the ETH framework which could allow potential bad actors to mint big amounts of GasToken when receiving ETH.
In a recent blog post published on the 21st November, Level K revealed that the abovementioned weakness was flagged to the most at-risk exchanges and these exchanges have since implemented software patches to contain the threat.
What Is The Potential GasToken Weakness?
This vulnerability occurs when ETH is sent to an address, which is then able to carry out arbitrary computations which the transaction originator has to pay for, thus it comes with a risk of “griefing” which is an action by a bad-faith actor designed maliciously to cause damage to network users. An attacker would be able to make transaction originators such as an exchange pay for an arbitrary amount of computation if the exchange has no security features in place such as gas limits.
By way of minting large amounts of GasTokens which receiving ETH, it would be in theory, possible for such griefing attacks to be profitable to bad actors.
Furthermore, this risk is not limited to ETH, but also includes all Ethereum-based tokes for example, the ones built upon ERC-721 & ERC 20 standards. During the process of carrying out contract calls to effect transfers, exchanges which do not set gas limits for their transactions with these tokes could end up paying large amounts of computation and suffering similar fates.
Here is an excerpt from a piece published by Level K which explains the threat:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
Level K claimed that the exchanges that could be potentially affected by this weakness were privately notified back on the 13th of November. Due to the fact that Level K could not exactly determine which exchanges had no protections in place, their notification was sent to as many exchanges as possible, all of whom have already implemented patches to prevent any attacks and fix the problem.
Lastly, Level K also published further information as well as a complete guide of the threat and the actions on how to contain it here.
Do you know of any smaller exchanges that could face this problem? Let us know your thoughts by commenting below and pass this info onto anyone who you think might need it.
Follow CoinBeat on Facebook, Twitter & Telegram
Subscribe to our CoinBeat Newsletter
Submit an article to CoinBeat
View live Marketcap Prices here
Comments