Ethereum Token Hit by Malicious Minting Attack

Ethereum Token Hit by Malicious Minting Attack

Ethereum Smart contract and dApp developer Level K has uncovered the existence of a vulnerability within the Ethereum framework that potentially allows bad actors to mint large amounts of GasToken when receiving ETH.

In a blogpost published on November 21, the company revealed that the weakness has been flagged to most at-risk exchanges who have since effected software patches to contain the threat.

Potential GasToken Security Weakness

The vulnerability arises when ETH is sent to an address, which is then able to carry out arbitrary computations that the transaction originator pays for, which comes with a risk of ‘griefing’ – an action by a bad-faith actor designed to cause damage to network users. In theory, an attacker would be able to make a transaction originator such as an exchange pay for an arbitrary amount of computation if the exchange has no protections like gas limits in place.

By minting vast amounts of GasToken while receiving ETH, it would thus be possible at least in theory for such a griefing attack to become profitable to a bad actor.

What is more, the risk is not limited to ETH, but also includes all Ethereum-based tokens such as those built on ERC-721 and ERC-20 standards. In the course of carrying out contract calls to effect transfers, exchanges that do not set a gas limit for transactions with these tokens can end up paying for vast amounts of computation and suffering  similar fate.

An excerpt from material published by Level K explaining the threat using a hypothetical case study reads as follows:

“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”

According to Level K, exchanges potentially affected by the vulnerability were notified privately on November 13, and because it was not possible to say exactly which ones had no protections in place, this notification was sent to as many exchanges as possible, all of whom have now implemented patches to fix the problem.

Level K has also published further information and a complete rundown of the threat and the actions taken to contain it here.

Featured image from Shutterstock.

21.11.2018 / 23:00 81
Hackers Steal $200,000 Worth of EOS, dApp Had Smart Contract Flaw Hackers Steal $200,000 Worth of EOS,
A gambling application that is based on the EOS blockchain has had a flaw in its smart contract system exploited. Hackers were able to make off with
White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur White Hat Hacker Finds Major
A white hat hacker has discovered a major vulnerability in decentralized prediction market Augur, perhaps the most highly-touted decentralized
Security Researchers Discover Multiple Epic Vulnerabilities in EOS Blockchain Security Researchers Discover Multiple
Chinese internet and cyber security research firm 360 reported a series of high risk vulnerabilities in the EOS blockchain platform a couple of hours
Bitcoin ABC Patches Critical Vulnerability in Bitcoin Cash Mining Software Bitcoin ABC Patches Critical
Cryptocurrency development team Bitcoin ABC has released a patch to address a critical vulnerability in bitcoin cash mining software. According to
Bitcoin ABC Developers Address a Vulnerability Found Bitcoin ABC Developers Address a
On April 26, 2018, the Bitcoin ABC development team were notified of a critical issue that applies to Bitcoin Cash miners who were utilizing the
Sharding Is Already Ushering in Radical New Ethereum Designs Sharding Is Already Ushering in Radical
So-called "sharding" may still be theoretical, but the promising implications of the concept are becoming more and more real. At least that's the
Comments (0)
Add a comment
Comment on