Ethereum Token Vulnerability Could Have Drained Crypto Exchanges' Wallets

  • A vulnerability affecting an Ethereum token could've seen bad actors empty crypto exchanges' hot wallets.
  • Before disclosing the bug, the researchers contacted potentially affected exchanges.

A vulnerability found on the Ethereum-based GasToken could’ve seen malicious actors take advantage of it to drain cryptocurrency exchanges’ hot wallets, or even mint new tokens to make a profit.

According to a recently published disclosure, first reported on by The Next Web, the bug affects mainly cryptocurrency exchanges that don’t set gas usage limits on withdrawals. Once a malicious actor withdrew the tokens, he could make exchanges pay large amounts in gas fees to drain its wallets. As the disclosure explains:

In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds.

If cryptocurrency exchanges don’t enforce know-your-customer (KYC) checks, it adds, a malicious actor could even circumvent withdrawal limits. More sophisticated actors could implement a “tax” on transactions and create new tokens for a profit.

Notably, the bug seemingly only affects those that initiate Ethereum transactions, and not those who process them. As such, decentralized cryptocurrency exchanges like ForkDelta and “other smart-contract-based exchanges [that] process transactions initiated by users” are not affected.

It’s currently unclear how many exchanges were affected by the bug, if any. The researchers that caught it privately disclosed the vulnerability, which was found at the end of October, before making it public, and contacted all possibly affected exchanges.

To secure their funds, exchanges were told to “implement reasonable gas limits” on withdrawals. The researchers also advised potentially affected platforms to review their logs as “attackers may have co-discovered this vulnerability.” Other blockchains, including that of Ethereum Classic and EOS, may have similar issues, they noted.

The researchers then suggested additional safety measures:

In the long term, contracts that implement ERC721, ERC777, and ERC677 should put restrictions on gas usage when making calls to unknown addresses. Alternatively, the front-end of decentralized applications that use these contracts can warn users when an unusually large amount of gas is being used.

As The Next Web points out this is notably not the first critical bug discovered so far this year. As CryptoGlobe covered, a smart contract vulnerability that allowed users of cryptocurrency exchange Coinbase to theoretically give themselves unlimited Ethereum was fixed back in March.

Similarly, Monero’s developers fixed a bug that could potentially have seen users lose or double spend funds back in September. The vulnerability, known as “burning bug,” could have seen an attacker destroy XMR in an organization’s wallet.

VeChain Foundation’s 'Buyback' Wallet Gets ‘Compromised’, Hacker Steals 1.1 Billion VET Tokens

Siamak Masnavi

At 17:00 UTC on Friday (December 13), the VeChain Foundation announced that their "buyback address was compromised." 

This was the tweet they sent out to announce this terrible news:

So, what is the buyback address that the VeChain Foundation is referring to?

Well, back on 30 June 2019, the VeChain Foundation announced a $25 million buyback plan:

In today's announcement, the foundation says that 1.1 billion VET tokens (worth roughly $6.5 million at current VET prices) were taken from the hot wallet they were using for the buyback plan, and that these VET tokens were transferred by the hacker to 0xD802A148f38aBa4759879c33E8d04deb00cFB92b:

They go on to say that "all the addresses associated with the said hacker’s address have been tagged on VeChainStats, the list is automatically updated as soon as the hacker sends any funds from the original hacker’s address."

VeChain Foundation "has been tracing the transfer of these VET Tokens in real-time," and here is what they have done so far to manage this situation:

  • "We have notified all exchanges to monitor, blacklist and freeze any funds coming from the hacker address and any withdraws from the corresponding exchanging wallets."
  • "We have launched an investigation into every fact around the address to determine the motive, method, and data flow behind this malicious act."
  • "We have enlisted the assistance of Hacken along with its whitehat community, and teams to help with monitoring and containment of the situation."
  • "We have also started a security check immediately on the other crypto assets under the custodian of the Foundation, to make sure no further breach will occur."
  • "We have reported this incident to law enforcement in Singapore."

According to data from CryptoCompare, VET is currently trading at $0.005824, down 4.93% in the past 24-hour period:

VET-USD 24-Hour - 13 Dec 2019.png

We will update this article as more details become available...

Featured Image Credit: Photo via