Ethereum Smart contract and the developer of dApp Level K have discovered the existence of a vulnerability within the Ethereum framework that potentially allows bad actors to beat large amounts of GasToken when they receive ETH.
In a post published on November 21st, the company revealed that the weakness was reported to most of the risky exchanges that have since performed software patches to contain the threat.
Potential security weakness GasToken
The vulnerability arises when ETH is sent to an address, which is then able to perform arbitrary calculations on which it pays the originator of the transaction, which carries a risk of "griefing" – an action by an actor in bad faith designed to cause damage to users on the network. In theory, an attacker would be able to make an originator of transactions as an exchange pay for an arbitrary amount of calculation if the exchange does not have protections like the gas limits in place.
By combining large quantities of GasToken while receiving ETH, it would therefore be possible, at least in theory, for such an attack of loyalty to become profitable for a bad actor.
Furthermore, the risk is not limited to ETH, but also includes all Ethereum-based tokens such as those based on the ERC-721 and ERC-20 standards. During the execution of contractual appeals to make transfers, trades that do not set a gas limit for transactions with these tokens may end up paying huge sums of calculation and suffering a similar fate.
An excerpt from the material published by Level K explaining the threat using a hypothetical case study reads as follows:
"In the simplest exploit scenario, Alice handles an exchange, which Bob wants to damage.Bob can initiate withdrawals to a contract address that he controls with a computationally intense fallback function.If Alice has neglected to set a reasonable gas limit, she will pay Transaction fees from his hot wallet Given enough transactions, Bob can empty Alice's funds If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to get around the limits withdrawal of a single account In addition, if Bob also wants to make a profit, he can count GasToken in his fallback function and make money while Alice's wallet runs out. "
According to the K-level, the exchanges potentially affected by the vulnerability were notified privately on November 13, and since it was not possible to say exactly which they did not have protections, this notification was sent to as many exchanges as possible, all of which now have implemented the patches to solve the problem.
Level K has also published more information and a comprehensive overview of the threat and the actions taken to contain it here.
Shutterstock foreground image.
Get an exclusive cryptographic analysis by professional traders and investors on Hacked.com. Register now and receive the first month for free. Click here!