A critical vulnerability in an Ethereum ETH token has made it possible for malicious actors to force cryptocurrency exchange desks at extremely high transaction costs. Even worse, attackers could abuse the for-profit bug.
The flaw, discovered by a group of cryptocurrency researchers, resides in the GasToken cryptostasis based on Ethereum. It is not clear exactly how many exchanges are potentially vulnerable to it, but the researchers have contacted a large number of potentially affected platforms.
The error mainly concerns the exchange services without limits on the use of gas for random address withdrawals. Once such a transaction has been initiated, the attackers could charge the exchanges for large amounts of calculations and empty the exchange reserves. Or alternatively, mint GasToken for profit. For those who do not know, the coinage refers to the process of creating new tokens.
The researchers note that the vulnerability could also allow attackers to charge additional fees to users who interact with attackers' accounts.
According to the researchers, the vulnerability affects only the exchange desks (and the addresses of the portfolios) that initiate Ethereum transactions, not those that process them. This means that decentralized exchanges (DEX) and forwarding services that use smart contracts to process user-initiated transactions are probably not affected.
The bug was first discovered at the end of October. The researchers then divulged the issue to the creators of GasToken, as well as a number of exchange services that could have been influenced.
Researchers recommend implementing "reasonable gas limits on all transactions" to defend against this vulnerability, especially when making random address transactions.
Blockchain is not as secure as the myths
For the record, this is not the first time that vulnerabilities in cryptocurrencies (or third-party software designed for them) have put the holders' funds at risk.
At the start of this year, researchers found a vulnerability in Coinbase coin exchange, which made it possible awarded with practically unlimited quantities of Ethereum. Likewise, a defect in a portfolio solution for Monero has stolen XMR from stealing.
In the meantime, those interested can find the full disclosure of the vulnerability on GasToken here.
Published November 22, 2018 – 10:55 UTC