The vulnerability in the Ethereum token allowed hackers to suck dry exchanges

The flaw, discovered by a group of cryptocurrency researchers, resides in the GasToken cryptostasis based on Ethereum. It is not clear exactly how many exchanges are potentially vulnerable to it, but the researchers have contacted a large number of potentially affected platforms.

The error mainly concerns the exchange services without limits on the use of gas for random address withdrawals. Once such a transaction has been initiated, the attackers could charge the exchanges for large amounts of calculations and empty the exchange reserves. Or alternatively, mint GasToken for profit. For those who do not know, the coinage refers to the process of creating new tokens.

The researchers note that the vulnerability could also allow attackers to charge additional fees to users who interact with attackers' accounts.

According to the researchers, the vulnerability affects only the exchange desks (and the addresses of the portfolios) that initiate Ethereum transactions, not those that process them. This means that decentralized exchanges (DEX) and forwarding services that use smart contracts to process user-initiated transactions are probably not affected.

The bug was first discovered at the end of October. The researchers then divulged the issue to the creators of GasToken, as well as a number of exchange services that could have been influenced.

Researchers recommend implementing "reasonable gas limits on all transactions" to defend against this vulnerability, especially when making random address transactions.

Blockchain is not as secure as the myths

For the record, this is not the first time that vulnerabilities in cryptocurrencies (or third-party software designed for them) have put the holders' funds at risk.