Home / Ethereum / The developer of dApp & # 39; Level K & # 39; discovers the vulnerability linked to gas in the Ethereum network

The developer of dApp & # 39; Level K & # 39; discovers the vulnerability linked to gas in the Ethereum network

On Wednesday, November 23, 2018, the decentralized application maker, Level K, released new revelations on Ethereum on their official Medium channel.

The short relationship It was written as a warning that the Ethereum network has a potential protocol vulnerability that could be easily exploited by hackers to harm unexpected users, mainly cryptocurrency exchanges.

A danger for cryptic exchanges

According to the K-level, if an attacker were to withdraw Ether (ETH) from the mobile wallet of the exchange, he would be able to perform an arbitrary calculation that is paid by the owner of the portfolio from which ETH is sent ( hot wallet of the exchange)).

This procedure is known as a mourning carrier.

Provided that the cryptocurrency exchange in question does not have a reasonable gas limit implemented on their platform, an attacker could execute enough transactions to generate GasToken, transforming a mourning carrier into a lucrative attack form.

Since the gas on the Ethereum network is paid in ETH, we can understand why this scheme could be so profitable.

What is even worse, this scheme could also be applied to all cryptocurrencies that rely on the Ethereum network, which means token ERC-20, ERC-721, ERC-777 and ETC-677.

In addition, GasToken, which uses the reimbursement mechanism of Ethereum, allows an attacker to issue huge amounts of GasToken from the ETH used to pay for transactions, storing it when prices are low, only to receive a refund when the value increases .

Level K, together with colleagues from Trail of Bits and IC3, provided a hypothetical example of a centralized exchange interested in their published study relationship, which we will quote in full:

"In the simplest exploit scenario, Alice handles an exchange, which Bob wants to damage.Bob can initiate withdrawals to a contract address that he controls with a computationally intense fallback function.

If Alice has neglected to set a reasonable gas limit, she will pay the transaction fees from her hot wallet. Given a sufficient number of transactions, Bob can empty Alice's funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent the withdrawal limits of a single account.

In addition, if Bob also wants to make a profit, he can count GasToken in his fallback function and make money while Alice's wallet runs out. "

In addition to centralized exchanges, this vulnerability could also be used in decentralized exchanges (DEX), where the attacker could harm the people who interact with his account rather than the exchange itself, billing them a certain amount. of "taxes" each time the interaction is carried out.

Level K exchanges have warned

The K level also reported that since it was not possible to deduce which exchanges implemented a gas limit and which did not, they sent a warning about this potential vulnerability to how many trading platforms could hope that vulnerable ones would tolerate hole security.

The dApp development company stated that most of the exchanges had the protection of the current gas limit, but those that had not successfully corrected their system.

Although it is one of the most used networks on the market, this example shows that Ethereum could still be used to commit malicious activities because its network has not yet been perfected.

New ways are being discovered every day to exploit the blockchain vulnerabilities. However, such revelations could, and hopefully, accelerate the process of making this new technology a quasi-bulletproof transaction flow.

Disclaimer: This is not an investment advice. Cryptocurrencies are highly volatile assets and are very risky investments. Do your research and / or consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.

Source link