A bug centered around a new Ethereum token, GasToken, which allowed for the abuse of cryptocurrency trade, seems to have been resolved. Details are provided in a report originally published on November 13, 2018, which discussed how the bug was exploited by attackers and what digital platforms could do if they wanted to protect their wallet funds.
It was not clear what exchanges could or could not be influenced by the bug. Therefore, private communications were issued for "as many exchanges as possible" based on an average post. While it was established that most of these exchanges were not in danger, all vulnerable exchanges have since instilled proper protections. At the time of printing, the error is no longer considered a threat.
According to its website, GasToken is a contract based on Ethereum that allows people to tokenize the Ethereum network through a special reimbursement mechanism. Users can conserve gas when the price is low and return stores when it is high.
The website reads: "Every transaction on the network must include some gas, and the commission paid to the miners for each transaction is directly proportional to the gas consumed by a transaction." GasToken allows a transaction to make the same amount. of working and paying less gas, saving on miners' costs and costs and allowing users to bid at higher gas prices without paying higher commissions. "
The document states that many exchanges have not applied gas usage limits or allowed the withdrawal of the ether to arbitrary addresses. Combined with the GasToken reimbursement structure, an open door was then provided to the attackers, who could then issue gas each time they received ether and charge the exchanges for arbitrary calculation.
The attackers could exploit the error in two ways. The first was to perform calculations using the Ethereum fallback function when a contract received Ethereum-based tokens from an exchange. If an attacker wanted to attack an exchange, the attacker could do so by starting the withdrawals at an address of the contract he was controlling.
Since the person managing the exchange has failed to enforce the gas limits or know-your-customer (KYC) protocols, the exchange would pay the transaction fees from its hot portfolio. The malicious user could then create different accounts to override the withdrawal limits of a single account. They could also mint the GasToken, thus further draining the exchange owner's portfolio.
The second attack vector could be exploited through a token transfer function. The attacker could force an exchange to pay large amounts of calculations and even make it burn its own ether reserve.
From there, the attacker could empty the hot wallet of the exchange or mint the GasToken for a profit if they check the token code on an exchange if the token has an updatable contract or if the exchange automatically lists the tokens. Whenever a token transfer occurred, the attacker could work to update the function, which would perform the same calculation described in the first method, and the exchange would then pay the costs of each future token transfer.
The good news was that the bug could only affect the exchanges started Transactions of Ethereum not those that processed them. Therefore, decentralized exchanges or those based on a similar smart contract technology that processed user-initiated transactions would probably not be affected.
The report listed several options to ensure that the problem did not persist. For example, the authors suggested to implement reasonable gas limits on all transactions. In this way, if transactions were particularly expensive, the users assumed all the costs, ensuring that the exchanges remained free and free of any charges.
In addition, it was recommended that exchange traders apply both gas monitoring and rate capping on all withdrawals. Most exchanges usually incorporate one or the other and no tactics can do much on their own. Finally, contracts based on Ethereum have been said to implement restrictions on the use of gas when making calls to unfamiliar addresses.
To view the full report, click here.