dApp Developer ‘Level K’ Discovers GasToken Vulnerability In Ethereum Network
On Wednesday, November 23, 2018, the decentralized applications producer, Level K, published new revelations about Ethereum on their official Medium channel.
The brief report was written as a warning that the Ethereum network has a potential protocol vulnerability which could easily be exploited by hackers to harm unsuspected users, mainly cryptocurrency exchanges.
A danger for crypto exchanges
According to Level K, if an attacker was to withdraw Ether (ETH) from the exchange’s hot wallet address, he would able to do an arbitrary computation which is paid for by the owner of the wallet from which the ETH is sent (exchange’s hot wallet).
This procedure is known as grieving vector.
Provided that the cryptocurrency exchange in question doesn’t have a reasonable gas limit implemented on their platform, a hacker could perform enough transactions to generate GasToken, turning a grieving vector into a lucrative form of attack.
Since gas on the Ethereum network is paid in ETH, we can see why this scheme could be so profitable.
What’s even worse, this scheme could also be applied to all cryptocurrencies that are leaning on the Ethereum network, meaning ERC-20, ERC-721, ERC-777, and ETC-677 tokens.
Furthermore, GasToken, which makes use of Ethereum’s refund mechanism, allows a hacker to mint huge amounts of GasToken from ETH used to pay for transactions, storing it when prices are down, just to receive a refund when the value rises.
Level K, along with their colleagues from Trail of Bits and IC3, gave a hypothetical example of an affected centralized exchange in their published in-depth report, which we are going to quote in fullness:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function.
If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits.
In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
Besides centralized exchanges, this vulnerability could also be used on decentralized exchanges (DEX), where the attacker would hurt individuals interacting with his account instead of the exchange itself, billing them a certain amount of “tax” every time the interaction is made.
Level K warned exchanges
Level K also reported that since they couldn’t deduce which exchanges did implement a gas limit and which didn’t, they sent a warning of this potential vulnerability to as many trading platforms as they could in hope that the ones vulnerable would patch the security hole.
The dApp development firm stated that most exchanges had the gas limit protection in place, but those which didn’t have successfully patched their system.
Despite being one of the most used networks in the market, this example shows that Ethereum could still be used to commit malicious activities as its network hasn’t been perfected yet.
Every day there are new ways to exploit blockchain’s vulnerabilities discovered. However, such revelations may, and hopefully will speed up the process of making this new technology a near-bulletproof stream of transactions.
Disclaimer: This is not investment advice. Cryptocurrencies are highly volatile assets and are very risky investments. Do your own research and/or consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.