A critical vulnerability in an Ethereum ETH token made it possible for malicious actors to force cryptocurrency exchange desks to spend extremely high fees on transactions. Even worse, the attackers could abuse the bug for profit.
The flaw, discovered by a group of cryptocurrency researchers, resides in Ethereum-based cryptocurrency GasToken. It remains unclear precisely how many exchanges are potentially vulnerable to it, but the researchers have contacted a bulk of possibly affected platforms.
The bug primarily concerns exchange services with no gas usage limit for withdrawals to random addresses. Once such a transaction has been initiated, the attackers could make exchanges pay for large amounts of computation and drain the exchange’s reserves. Or alternatively, mint GasToken for profit. For those unfamiliar, minting refers to the process of creating new tokens.
The researchers note the vulnerability could also allow malicious agents to impose extra fees on users interacting with the attackers’ accounts.
According to the researchers, the vulnerability affects only exchange desks (and wallet addresses) that initiate Ethereum transactions, not ones that process them. This means that decentralized exchanges (DEXs) and relay services that use smart contracts to process transactions initiated by users are likely not affected.
The bug was first discovered at the end of October. The researchers then went on to disclose the issue to the creators of GasToken, as well as a number of exchange services that could’ve been affected by it.
The researchers advise implementing “reasonable gas limits on all transactions” to defend against this vulnerability – especially when making transactions to random addresses.
Blockchain is not as safe as the myths go
For the record, this is not the first time vulnerabilities in cryptocurrencies (or third-party software designed for them) has put holders’ funds at risk.
Earlier this year, researchers found a vulnerability in exchange desk Coinbase, which made it possible to reward yourself with practically unlimited amounts of Ethereum. Similarly, a flaw in a wallet solution for Monero made it possible to surreptitiously steal XMR from exchanges.
Meanwhile, those interested can find the full vulnerability disclosure on GasToken here.
Published November 22, 2018 — 10:55 UTC