A Bug Making Ethereum Transactions on Exchanges Vulnerable Has Been Fixed

A Bug Making Ethereum Transactions on Exchanges Vulnerable Has Been Fixed 1

A bug centering around a new Ethereum token, GasToken, which was enabling abuse on cryptocurrency exchanges, appears to have been resolved. The details are provided in a report originally published on November 13, 2018, that discussed how the bug was exploited by attackers, and what digital platforms could do if they wished to protect their hot wallet funds.

It was unclear which exchanges could or could not be affected by the bug. Thus, private disclosures were issued to “as many exchanges as possible” according to a Medium post. While it was determined that most of these exchanges were not in any danger, all vulnerable exchanges have since instilled the proper protections. At press time, the bug is no longer considered a threat.

According to its website, GasToken is an Ethereum-based contract that allows individuals to tokenize the Ethereum network through a special refund mechanism. Users can store gas when the price is low and garner refunds when it’s high.

The website reads, “Every transaction on the network must include some gas, and the fee paid to miners for each transaction is directly proportional to the gas consumed by a transaction. GasToken allows a transaction to do the same amount of work and pay for less gas, saving on miner fees and costs and allowing users to bid higher gas prices without paying correspondingly higher fees.”

Coinbase 3

The document alleges that many exchanges either enforced no gas usage limits or allowed for the withdrawal of ether to arbitrary addresses. Combined with GasToken’s refund structure, an open doorway was subsequently provided to attackers, who could then mint gas whenever they received ether and make exchanges pay for arbitrary computation.

Attackers could exploit the bug in one of two ways. The first was by performing computations through Ethereum’s fallback function when a contract received Ethereum-based tokens from an exchange. If a malicious actor wanted to attack an exchange, the attacker could do so by initiating withdrawals to a contract address they controlled.

Granted the person operating the exchange had failed to enforce gas limits or know-your-customer (KYC) protocols, the exchange would pay the transaction fees out of their own hot wallet. The attacker could then create several accounts to bypass any single account withdrawal limits. They could also mint GasTokens, thereby causing the exchange owner’s wallet to drain even further.

The second attack vector could be exploited through a token’s transfer function. The attacker could force an exchange to pay for large amounts of computation and even cause it to burn its own ether supply.

From there, the attacker could drain the exchange’s hot wallet or mint the GasTokens for a profit if they controlled the token’s code on an exchange if the token featured an upgradeable contract or if the exchange automatically lists tokens. Whenever a token transfer occurred, the attacker could work to update the function, which would perform the same computation described in the first method, and the exchange would then pay the costs of every future transfer of that token.

The good news was that the bug could only affect exchanges that initiated Ethereum transactions not those that processed them. Thus, decentralized exchanges or those based on similar smart contract technology that processed transactions initiated by users were likely to remain unaffected.

The report listed several options to ensure the problem didn’t persist. For example, the authors suggested implementing reasonable gas limits on all transactions. That way, if any particularly expensive transactions occurred, the users would bear all the costs, ensuring exchanges remained free and clear of any charges.

In addition, exchange operators were advised to enforce both gas monitoring and rate limiting on all withdrawals. Most exchanges usually incorporate either one or the other, and neither tactic can do much on its own. Lastly, Ethereum-based contracts were told to implement gas usage restrictions when making calls to unknown addresses.

To view the full report, click here.

A Bug Making Ethereum Transactions on Exchanges Vulnerable Has Been Fixed 2
blank
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

blank

E-Crypto News Executive Interviews


blank

bitcoin
Bitcoin (BTC) $ 39,910.00
ethereum
Ethereum (ETH) $ 2,292.79
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 311.84
cardano
Cardano (ADA) $ 1.28
xrp
XRP (XRP) $ 0.716406
usd-coin
USD Coin (USDC) $ 0.999317
dogecoin
Dogecoin (DOGE) $ 0.207454
polkadot
Polkadot (DOT) $ 14.47
binance-usd
Binance USD (BUSD) $ 0.999277
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 39,910.00
ethereumEthereum (ETH)
$ 2,292.79
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 509.15
litecoinLitecoin (LTC)
$ 138.97
bitcoinBitcoin (BTC)
33.828,71
ethereumEthereum (ETH)
1.943,43
tetherTether (USDT)
0,847625
bitcoin-cashBitcoin Cash (BCH)
431,57
litecoinLitecoin (LTC)
117,79
bitcoinBitcoin (BTC)
28,932.75
ethereumEthereum (ETH)
1,662.16
tetherTether (USDT)
0.724950
bitcoin-cashBitcoin Cash (BCH)
369.11
litecoinLitecoin (LTC)
100.75

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
blank
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021
Crypto Scams On The Rise As Market Enters Bull Cycle
Crypto Scams On The Rise As Market Enters Bull Cycle
December 22, 2020
Harpreet Singh Sahni perpetrated the Plus Gold Union Coin (PGUC) scam
Sydney Concert Promoter Harpreet Sahni Involved In $50M Crypto PGUC Scam
November 2, 2020
KuCoin hackers steal $150 million
KuCoin Exchange Hacked But Insurance Will Cover The Stolen $150M
September 29, 2020

Blockchain/Cryptocurrency Questions and Answers

Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021
blank
What Is Plethori Platform And How Does It Work?
June 12, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin39,885 0.08 % 1.80 % 23.16 %
Ethereum2,291.8 0.15 % 0.07 % 14.37 %
Tether1.000 0.39 % 0.44 % 0.11 %
Binance Coin311.74 0.50 % 0.48 % 6.09 %
Cardano1.280 0.08 % 0.69 % 8.76 %
XRP0.7157 1.01 % 11.67 % 24.75 %
USD Coin0.9991 0.15 % 0.37 % 0.85 %
Dogecoin0.2074 0.54 % 1.78 % 8.25 %
Polkadot14.46 0.13 % 1.63 % 16.62 %
Binance USD0.9990 0.12 % 0.39 % 0.83 %

bitcoin
Bitcoin (BTC) $ 40,144.00
ethereum
Ethereum (ETH) $ 2,301.96
tether
Tether (USDT) $ 1.01
binance-coin
Binance Coin (BNB) $ 315.34
cardano
Cardano (ADA) $ 1.28
xrp
XRP (XRP) $ 0.709777
usd-coin
USD Coin (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.208992
polkadot
Polkadot (DOT) $ 14.82
binance-usd
Binance USD (BUSD) $ 1.00