A newly discovered Ethereum vulnerability could have allowed hackers to drain an enormous amount of money from cryptographic exchanges. The glitch presumably involved all cryptocurrency exchanges that did not have a gas usage limit.
Ethereum vulnerability discovered that could allow GasToken reading
The researchers found a technical problem that made a large number of cryptocurrency exchanges vulnerable to hacks. The alleged vulnerability of Ethereum could allow potential attackers to make huge profits by emptying the hot portfolios of various exchanges. The vulnerability could allow them to coin GasToken that could charge trades for Ethereum withdrawals, possibly for the benefit of hackers. The researchers stated their findings in a separate document, which they talked about in a post on the Medium blog.
Describing the defect, they stated in their document,
Many exchanges allow Ethereum to be withdrawn at arbitrary addresses without limits on the use of gas. Since sending Ethereum to a contract address performs its fallback function, hackers can make these exchanges pay for arbitrary calculation. This allows attackers to force trades to burn their Ethereum at high transaction costs.
The researchers explained two different exploit scenarios resulting from this bug. In the simplest exploit, an attacker can initiate withdrawals with a vulnerable exchange (without gas limits) to his address with fallback intensive functions. Eventually, the exchange would start paying transaction fees from its portfolio, ultimately to the advantage of the attacker. During this situation, an attacker could also get huge profits with the coin of GasToken, and eventually draining the exchange portfolio.
In the second exploit scenario, an attacker could simply impose a tax on other users who interact with the apps in which the attacker has their own accounts. Each time a user made a transaction on those app with codes on their accounts, the malicious user could issue a small amount of GasToken while making use of the additional gas hidden from the users. So, by paying a small fee to naive users.
The encryption exchanges involved have damaged the defect
The researchers discovered this vulnerability in Ethereum last month, after which they contacted all the allegedly vulnerable cryptographic exchanges. According to their findings, the problem has affected only trades that initiate Ethereum transactions. Whereas, those cryptocurrency exchanges that only managed transactions initiated by users have remained safe. As stated in their report,
DEX and other smart-contract-based exchanges process the transactions initiated by users and are therefore not affected. However, anyone who creates Ethereum transactions in arbitrary addresses may suffer from these or related problems. Ethereum Classic and other EVM-based blockchains (for example, POA network) may also be interested.
Now they have publicly revealed the technical problem in their report after most cryptographic exchanges corrected the vulnerability. As possible mitigation, researchers recommend limiting gas on all transactions.
They also express their concern about the possible co-discovery of the bug by hackers. Therefore, they also recommend reviewing the registers