Ethereum Token Vulnerability Could Have Drained Crypto Exchanges' Wallets

  • A vulnerability affecting an Ethereum token could've seen bad actors empty crypto exchanges' hot wallets.
  • Before disclosing the bug, the researchers contacted potentially affected exchanges.

A vulnerability found on the Ethereum-based GasToken could’ve seen malicious actors take advantage of it to drain cryptocurrency exchanges’ hot wallets, or even mint new tokens to make a profit.

According to a recently published disclosure, first reported on by The Next Web, the bug affects mainly cryptocurrency exchanges that don’t set gas usage limits on withdrawals. Once a malicious actor withdrew the tokens, he could make exchanges pay large amounts in gas fees to drain its wallets. As the disclosure explains:

In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds.

If cryptocurrency exchanges don’t enforce know-your-customer (KYC) checks, it adds, a malicious actor could even circumvent withdrawal limits. More sophisticated actors could implement a “tax” on transactions and create new tokens for a profit.

Notably, the bug seemingly only affects those that initiate Ethereum transactions, and not those who process them. As such, decentralized cryptocurrency exchanges like ForkDelta and “other smart-contract-based exchanges [that] process transactions initiated by users” are not affected.

It’s currently unclear how many exchanges were affected by the bug, if any. The researchers that caught it privately disclosed the vulnerability, which was found at the end of October, before making it public, and contacted all possibly affected exchanges.

To secure their funds, exchanges were told to “implement reasonable gas limits” on withdrawals. The researchers also advised potentially affected platforms to review their logs as “attackers may have co-discovered this vulnerability.” Other blockchains, including that of Ethereum Classic and EOS, may have similar issues, they noted.

The researchers then suggested additional safety measures:

In the long term, contracts that implement ERC721, ERC777, and ERC677 should put restrictions on gas usage when making calls to unknown addresses. Alternatively, the front-end of decentralized applications that use these contracts can warn users when an unusually large amount of gas is being used.

As The Next Web points out this is notably not the first critical bug discovered so far this year. As CryptoGlobe covered, a smart contract vulnerability that allowed users of cryptocurrency exchange Coinbase to theoretically give themselves unlimited Ethereum was fixed back in March.

Similarly, Monero’s developers fixed a bug that could potentially have seen users lose or double spend funds back in September. The vulnerability, known as “burning bug,” could have seen an attacker destroy XMR in an organization’s wallet.

Crypto Scammers Responsible for $24 Million in Bitcoin Theft Through First Half of 2020: Report

Michael LaVere
  • New Whale Alert report shows crypto scammers have raked in $24 million in bitcoin through the first six months of 2020.
  • One scammer leveraged YouTube advertising to steal $130k in BTC per day. 

Crypto monitoring service Whale Alert has published a report showing that crypto scammers are responsible for $24 million in bitcoin theft through the first half of the year, including the exploitation of YouTube advertising. 

According to the report “Chasing Crypto Criminals” published July 10, cyber-thieves are finding easy prey in the form of bitcoin and other crypto-asset investors. Whale Alert summarized its exhaustive reviews of hundreds of websites and thousands of reports of theft as “crypto crime pays. A lot.” 

Whale Alert claimed there was little risk involved for crypto-based criminals, despite the massive economic impact being imposed on victims. The report confirmed at least $38 million in bitcoin alone being stolen via scams over the past four years, excluding the use of Ponzi schemes. 

The report reads, 

Some of the most successful scams made over $130,000 in a single day with nothing more than a one page website, a bitcoin address and a decent amount of YouTube advertising.

Whale Alert outlined another scam which brought in $1.5 million over six months through promoting a fake cryptocurrency exchange. The report claims the advertisement took victims to an “amateurish website riddled with spelling errors,” before tricking users into depositing their funds. 

Featured Image Credit: Photo via Pixabay.com