A vulnerability found on the Ethereum-based GasToken could’ve seen malicious actors take advantage of it to drain cryptocurrency exchanges’ hot wallets, or even mint new tokens to make a profit.
According to a recently published disclosure, first reported on by The Next Web, the bug affects mainly cryptocurrency exchanges that don’t set gas usage limits on withdrawals. Once a malicious actor withdrew the tokens, he could make exchanges pay large amounts in gas fees to drain its wallets. As the disclosure explains:
In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds.
If cryptocurrency exchanges don’t enforce know-your-customer (KYC) checks, it adds, a malicious actor could even circumvent withdrawal limits. More sophisticated actors could implement a “tax” on transactions and create new tokens for a profit.
Notably, the bug seemingly only affects those that initiate Ethereum transactions, and not those who process them. As such, decentralized cryptocurrency exchanges like ForkDelta and “other smart-contract-based exchanges [that] process transactions initiated by users” are not affected.
It’s currently unclear how many exchanges were affected by the bug, if any. The researchers that caught it privately disclosed the vulnerability, which was found at the end of October, before making it public, and contacted all possibly affected exchanges.
To secure their funds, exchanges were told to “implement reasonable gas limits” on withdrawals. The researchers also advised potentially affected platforms to review their logs as “attackers may have co-discovered this vulnerability.” Other blockchains, including that of Ethereum Classic and EOS, may have similar issues, they noted.
The researchers then suggested additional safety measures:
In the long term, contracts that implement ERC721, ERC777, and ERC677 should put restrictions on gas usage when making calls to unknown addresses. Alternatively, the front-end of decentralized applications that use these contracts can warn users when an unusually large amount of gas is being used.
As The Next Web points out this is notably not the first critical bug discovered so far this year. As CryptoGlobe covered, a smart contract vulnerability that allowed users of cryptocurrency exchange Coinbase to theoretically give themselves unlimited Ethereum was fixed back in March.
Similarly, Monero’s developers fixed a bug that could potentially have seen users lose or double spend funds back in September. The vulnerability, known as “burning bug,” could have seen an attacker destroy XMR in an organization’s wallet.