In a Medium blog post on November 21, 2018, Level K, a decentralized applications development firm explained that there is a newly discovered vulnerability in the Ethereum blockchain that makes it possible for crypto-criminals to mint enormous amounts of GasToken when receiving ether (ETH).
A New Ethereum GasToken Bug
In the Medium blog post, Level K explained that when ETH is sent to any Ethereum wallet address, the receiving address can carry out arbitrary computations entirely paid for by the initiator of the transaction.
Level K further noted that the above process comes with a risk of “griefing,” i.e., action by a bad actor targeted at wreaking havoc on other network users.
In essence, due to the vulnerability, a cyberpunk might be able to make an exchange which has not adequately protected itself against the bug by putting in place gas usage limits, to pay an exorbitant amount of GasToken when such transactions are initiated, thereby enriching the rogue actor.
And in more severe cases, an attacker may even empty the hot wallet of the exchange by merely burning gas, stated Level K.
In a four-page pdf document, the firm further breaks down the exploit scenarios, making it clear that exchanges which offer support for Ethereum token standards including ERC-20, ERC721, ERC777 or ERC677 may be susceptible to this attack.
Explaining how the entire exploit scenarios work, Level K wrote:
“Kate runs a crypto exchange which Kam wants to attack. Kam can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Kate has failed to set a reasonable gas limit, she will pay transaction fees from her exchange’s hot wallet. With numerous transactions, Kam can drain Alice’s funds.”
Sadly, Level K went on to explain that if the attacked exchange has no active know-your-customer (KYC ) policies, the attacker can create several accounts on the platform to bypass the single-account withdrawal limit.
That’s not all; Level K also pointed out that it is even possible for a sophisticated hacker to control the code for a token listed on the attacked exchange if the token in question is an upgradeable contract or simply because the platform automatically lists tokens.
To avoid falling victim to this ugly situation, Level K recommends that exchanges must endeavor to implement reasonable gas limits on all transactions while also ensuring that the cost of any expensive transaction is paid by the user.