A vulnerability has been discovered on Ethereum’s platform by Level K, a smart contract developer for the ETH network. The flaw within the ETH code enabled malicious actors to mint huge volumes of GasToken when receiving ETH tokens. After the find, Level K stated that he has notified the exchanges that were affected of the situation.
This issue was occurring when two parties were conducting a transaction via the Ethereum network. For instance, someone wanted to send a token to someone else. Whenever an Ethereum token was sent to a wallet address, a lot of computations were taking into consideration before the transfer was complete and got paid for by the sender. Though, this process could be taken advantage of should the sender had an ulterior motive in mind.
Meanwhile, a malicious actor could target an exchange that did not have any Gas limitations set aside by “griefing” – randomly harming the network- or leveraging on a flaw within the code to mint huge amounts of Gas by draining the target, which is the exchange’s hot wallet.
In a bid to simplify the issue on ground, Level K painted a hypothetical situation, “In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
Furthermore, Level K went on to do a threat assessment on the issue and proffer solution on how to contain it.