/ News / 2018/11 / Ethereum-token-vulnerability could-ve-drained crypto-exchanges-collectors /
A vulnerability found in Ethereum's GasToken may have seen malicious actors take advantage of it to clear the hot crypto wallets, or even mint new tokens to make a profit.
According to a recently published disclosure, reported for the first time by The Next Web, the error mainly concerns cryptocurrency exchanges that do not establish limits on the use of gas for withdrawals. Once an attacker withdrew the tokens, he could make the exchanges pay large sums in the gas commissions to clear his wallets. How to explain the disclosure:
In the simplest exploit scenario, Alice manages an exchange, which Bob wants to hurt. Bob can initiate withdrawals to a contract address that he controls with a computationally intense fallback function. If Alice has neglected to set a reasonable gas limit, she will pay the transaction fees from her hot wallet. Given a sufficient number of transactions, Bob can empty Alice's funds.
If the cryptocurrency exchanges do not apply the know-your-customer (KYC) controls, he adds, an attacker could even circumvent the withdrawal limits. More sophisticated actors could implement a "tax" on transactions and create new tokens for a profit.
In particular, the insect seems to influence only those who initiate the transactions of Ethereum and not those who process them. As such, decentralized cryptocurrency exchanges such as ForkDelta and "other smart-contract-based exchanges" [that] process transactions initiated by users "are not affected.
At the moment it is not clear how many exchanges have been affected by the bug, if any. The researchers who captured it privately revealed the vulnerability, which was found at the end of October, before making it public, and contacted any exchanges that may be affected.
To guarantee their funds, trade was told to "implement reasonable gas limits" on withdrawals. The researchers also advised potentially interested platforms to review their records as "attackers may have discovered this vulnerability". Other blockchains, including that of Ethereum Classic and EOS, may have similar problems, they noted.
The researchers then suggested additional security measures:
In the long term, contracts implementing ERC721, ERC777 and ERC677 should restrict the use of gas when making calls to unknown addresses. Alternatively, the front end of decentralized applications that use these contracts can alert users when an unusually large amount of gas is used.
As The Next Web points out, this is not in particular the first critical bug discovered so far this year. As covered by CryptoGlobe, a vulnerability in the smart contract that allowed users to exchange cryptocurrencies with Coinbase to theoretically grant an unlimited number of Ethereums was set in March.
Likewise, the Monero developers solved a bug that could potentially have seen users lose or double their funds in September. The vulnerability, known as a "burning bug", may have seen an attacker destroy XMR in an organization's portfolio.