The Ethereum based GasToken could have seen many malicious individuals take advantage of it to drain cryptocurrency exchanges’ hot wallet or even mint new tokens in order to make a profit.
According to a recently published disclosure, the bug affects mainly digital currency exchanges that don’t set gas usage capacity on withdrawing currency. Exchanges could pay massively in gas fees to drain it wallets after someone has withdrawn tokens.
In the disclosure it states:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds.”
If cryptocurrency exchanges don’t enforce know your customer checks then it will add a malicious actor to circumvent the withdrawing capacity. Actors who are more experienced could implement a ‘tax’ on transactions and create new token for profit.
As reported by CryptoGlobe, it is worth noting that the glitch only seemed to impact those that initiate Ethereum transactions and not those who process them. With this, decentralised cryptocurrency exchanges like ForkDelta and other smart contract based exchanges which process payments started by users won’t be affected.
Currently, it is unknown how many exchanges (if any) were affected by the glitch. The researchers that caught it privately disclosed the vulnerability, which was discovered at the end of last month. This was before it made known to the public and contacted all possibly affected exchanges.
In order to make sure their funds are secure, exchanges were informed that they should integrate reasonable gas limits on withdrawals. The researchers also advised that affected platforms should potentially review their logs as ‘attacks may have co-discovered this vulnerability’.
Got more safety measures the researchers said:
“In the long term, contracts that implement ERC721, ERC777, and ERC677 should put restrictions on gas usage when making calls to unknown addresses. Alternatively, the front-end of decentralized applications that use these contracts can warn users when an unusually large amount of gas is being used.”