Ethereum (ETH) Vulnerability Could Have Led to Exchange Drains, Report Says

Published on 28 November 2018 by Cryptovest Staff

Researchers have found a vulnerability in Ethereum that would have let hackers suck exchanges dry.

Researchers have found a vulnerability in Ethereum that would have let hackers suck exchanges dry.

A group of researchers has unearthed a critical vulnerability in the Ethereum (ETH) network which could have resulted in massive losses for crypto exchanges. The exploit would have allowed hackers to force exchange desks without a Gas usage limit to spend extremely high fees on transactions. In addition, the vulnerability also allowed attackers to gain massive profits.

Discovered by a group of cryptocurrency researchers, the vulnerability was part of the code for Ethereum-based cryptocurrency GasToken. The exploit only affected exchanges initiating ETH transactions, not platforms processing them. In a report published last week, the researchers explained the bug would have allowed hackers to drain unprotected cryptocurrency exchanges by forcing them to pay huge transaction fees, as well as to mint GasToken by imposing a small amount of GasToken tax for “naïve users.”

“In the simplest exploit scenario, Alice runs an exchange which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback Function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet,” the paper explained.

Although the exact number of exchanges prone to exploits is unknown, the researchers reached out to a number of platforms that could be affected by the bug.

The report issued several recommendations for preventing malicious exploits. The authors propose implementing “reasonable gas limits on all transactions,” especially those to random addresses. They also observe that monitoring the primary GasToken contract is insufficient and would not prevent the issuing of new GasToken contracts with the same properties as the original. Furthermore, the paper warns that similar EVM-based blockchains, such as EOS and Ethereum Classic, might also possess a vulnerability of this kind.