A recently discovered Ethereum vulnerability could have allowed hackers to drain a huge amount of money from crypto exchanges. The glitch allegedly affected all cryptocurrency exchanges that did not have a Gas usage limit.
Ethereum Vulnerability Discovered That Could Allow GasToken Minting
Researchers have found a glitch that made a large number of cryptocurrency exchanges vulnerable to hacks. The alleged Ethereum vulnerability could allow potential attackers to gain huge profits by draining hot wallets of various exchanges. The vulnerability could let them mint GasToken that could make the exchanges pay for Ethereum withdrawals, eventually benefitting the hackers. The researchers have stated their findings in a separate document, about which they disclosed in a Medium blog post.
Describing the flaw, they stated in their document,
Many exchanges allow the withdrawal of Ethereum to arbitrary addresses with no gas usage limit. Since sending Ethereum to a contract address executes its fallback function, attackers can make these exchanges pay for arbitrary computation. This allows attackers to force exchanges to burn their own Ethereum on high transaction costs.
The researchers explained two different exploit scenarios resulting from this bug. In the simplest exploit, an attacker could initiate withdrawals with a vulnerable exchange (with no Gas limit) to his address with Intensive fallback functions. The exchange would eventually begin paying transaction fees out of its wallet, ultimately benefitting the attacker. During this situation, an attacker could also make huge profits by minting GasToken, and eventually draining the exchange’s wallet.
In the second exploit scenario, an attacker could simply impose a tax on other users interacting with apps where the attacker has his accounts. Every time a user made a transaction on such apps having codes on his accounts, the attacker could mint a small amount of GasToken whilst making the additional Gas usage hidden from the users. Thus, charging a small fee from the naïve users.
Affected Crypto Exchanges Patched The Flaw
The researchers discovered this Ethereum vulnerability last month, after which they contacted all supposedly vulnerable crypto exchanges. According to their findings, the glitch only affected the exchanges that initiate Ethereum transactions. Whereas, those cryptocurrency exchanges that only managed transactions initiated by the users remained safe. As stated in their report,
DEXs and other smart-contract-based exchanges process transactions initiated by users, and are thus not affected. However, anyone who creates Ethereum transactions to arbitrary addresses may suffer from these or related issues. Ethereum Classic and other EVM-based blockchains (e.g., POA Network) may also be affected.
They now have disclosed about the glitch in their report publicly after most crypto exchanges patched the vulnerability. As possible mitigations, the researchers recommend limiting Gas on all transactions.
They also express their concern regarding possible co-discovery of the bug by the hackers. So, they also recommend reviewing the logs
No comments:
Post a Comment