An Ethereum [ETH] vulnerability has been uncovered by Level K, a smart contract and ETH-based decentralized applications developer that could essentially allow an attacker to mint large amounts of GasToken when receiving ETH.
The vulnerability announced yesterday in a blog post was discovered last month on 30th October but was just announced yesterday after Level K had made sufficient efforts to notify vulnerable parties which are mainly cryptocurrency exchanges that affect transfers of ETH and ETH-based tokens such as those based on the ERC-20 and ERC-721 standards. According to the announcement, the vulnerability also affects Ethereum Classic and EVM-based blockchains such as POA network.
The vulnerability can be described in simple terms as a failure by senders of token and coins to set appropriate Gas limits that could lead to abuse by attackers. In explaining the vulnerability, according to Level K, the vulnerability could be used in two ways to benefit a nefarious user:
“An attacker can perform computation in the fallback function of a contract that receives Ethereum from the exchange, or in the transfer functionality of a token listed on the exchange. With the ability to make the exchange pay for large amounts of computation, an attacker can either drain the exchange’s hot wallet (simply by burning gas) or mint GasToken for a potential profit.”
Level K uses the following example excerpt:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
Some wouldn’t call this a vulnerability but rather a mistake in any party that is affecting a transaction. However, if exploited, it could lead to tremendous loses for the victim. According to Level K, the warning was not just directed at cryptocurrency exchanges but also individuals who could be sending crypto to smart contract addresses without reading the contract code.
In the blog post announcement, Level K had contacted a vast majority of cryptocurrency exchanges earlier last week to ensure that they had effectively patched the vulnerability before making the discovery public. By the time of the announcement, Level K reported that all these exchanges had responded to the warning notification and patched the vulnerability.