One Ethereum Smart contract and dApp developer named Level K is in the latest cryptocurrency news for uncovering the existence of a vulnerability within the Ethereum framework that allows bad actors to mint large amounts of GasToken when receiving ETH.
As the official bog post that was published on November 21st outlined, the weakness has been flagged to most at-risk exchanges who have since released software patches that address the threat.
The vulnerability arises every time ETH is sent to an address which is able to carry out arbitrary computations that the transaction originator pays for. In theory, the only way to attack the token is by making a transaction originator such as an exchange to pay for an arbitrary amount of computation if the exchange has no protections (such as gas limits) set up.
Analysts claim that the risk is not only limited to ETH right now – but also includes all the Ethereum-based tokens such as the ones built on the ERC-721 and ERC-20 standards. As an excerpt from the material published by Level K explains:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
According to the lead developer at Ethereum, exchanges affected by the vulnerability were notified privately on November 13th. Since it wasn’t possible to say which ones had no protections in place, the notifications were sent to as many exchanges as possible.
Level K also published further information and a complete overview of the threat as well as the actions taken to contain it – which can be seen on this link.
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]
Discussion about this post