‘Level K’ App Developer Discovers GasToken Vulnerability in Ethereum Network – XBT.net


On Wednesday, November 23, 2018, the producer of decentralized applications, Level K, posted new revelations about Ethereum on its official Medium channel.

the brief report was written to warn that the Ethereum network has a potential protocol vulnerability that could easily be exploited by hackers to harm unsuspected users, primarily cryptocurrency exchanges.

A danger for crypto exchanges

Depending on the K level, if an attacker were to remove the Ether (ETH) from the hot wallet address of the exchange, they could perform an arbitrary calculation which is paid by the owner of the wallet from which the ETH is sent. (the hot wallet of the exchange).

This procedure is known as the bereavement vector.

Provided the cryptocurrency exchange in question did not have a reasonable gas limit in place on its platform, a hacker could complete enough transactions to generate GasToken, turning a mourning vector into a shape. lucrative attack.

With gas on the Ethereum network being paid in ETH, it is understandable why this scheme could be so profitable.

Worse yet, this scheme could also be applied to all cryptocurrencies that rely on the Ethereum network, namely the ERC-20, ERC-721, ERC-777 and ETC-677 tokens.

Additionally, GasToken, which uses Ethereum’s refund mechanism, allows a hacker to strike huge amounts of ETH’s GasToken used to pay for transactions, storing them when prices drop, just to receive a refund when the value increases.

Level K, along with their colleagues at Trail of Bits and IC3, gave a hypothetical example of an affected centralized exchange in their detailed post. report, which we will quote in full:

“In the simplest exploitation scenario, Alice is running an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a compute-intensive fallback feature.

If Alice failed to set a reasonable gas limit, she will pay the transaction fees on her hot wallet. With enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create multiple accounts to bypass single account withdrawal limits.

Additionally, if Bob wants to make a profit as well, he can create GasToken in his backup function and earn money while emptying Alice’s wallet.

Besides centralized exchanges, this vulnerability could also be used on decentralized exchanges (DEX), where the attacker would injure individuals interacting with their account instead of the exchange itself, charging them a certain amount of “tax” to the exchange. each time the interaction is performed.

K-level savvy trades

The K level also reported that since they could not infer which exchanges had a gas limit in place and which had not, they sent a warning of this potential vulnerability to as many trading platforms as there are. possible in the hope that those who are vulnerable would fix the security. hole.

Development company dApp said most exchanges implemented gas limit protection, but those that failed to patch their systems.

Although it is one of the most widely used networks on the market, this example shows that Ethereum could still be used to commit malicious activity because its network has not yet been perfected.

Every day, new ways to exploit blockchain vulnerabilities are discovered. However, such revelations can, and hopefully, speed up the process of making this new technology a near bulletproof transaction flow.

Warning: It is not investment advice. Cryptocurrencies are very volatile assets and are very risky investments. Do your own research and / or consult an investment professional before investing. Never invest more than you can afford to lose. Never borrow money to invest in cryptocurrencies.


Source Link