Ethereum Token Hit by Malicious Minting Attack

November 22, 2018

Ethereum Smart contract and dApp developer Level K has uncovered the existence of a vulnerability within the Ethereum framework that potentially allows bad actors to mint large amounts of GasToken when receiving ETH.

In a blogpost published on November 21, the company revealed that the weakness has been flagged to most at-risk exchanges who have since effected software patches to contain the threat.

Potential GasToken Security Weakness

The vulnerability arises when ETH is sent to an address, which is then able to carry out arbitrary computations that the transaction originator pays for, which comes with a risk of ‘griefing’ – an action by a bad-faith actor designed to cause damage to network users. In theory, an attacker would be able to make a transaction originator such as an exchange pay for an arbitrary amount of computation if the exchange has no protections like gas limits in place.

By minting vast amounts of GasToken while receiving ETH, it would thus be possible at least in theory for such a griefing attack to become profitable to a bad actor.

What is more, the risk is not limited to ETH, but also includes all Ethereum-based tokens such as those built on ERC-721 and ERC-20 standards. In the course of carrying out contract calls to effect transfers, exchanges that do not set a gas limit for transactions with these tokens can end up paying for vast amounts of computation and suffering  similar fate.

An excerpt from material published by Level K explaining the threat using a hypothetical case study reads as follows:

“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”

According to Level K, exchanges potentially affected by the vulnerability were notified privately on November 13, and because it was not possible to say exactly which ones had no protections in place, this notification was sent to as many exchanges as possible, all of whom have now implemented patches to fix the problem.

Level K has also published further information and a complete rundown of the threat and the actions taken to contain it here.

Featured image from Shutterstock.

Tags: Ethereum
David Hundeyin @DavidHundeyin

I am a busy Nigerian writer, journalist and writer with an interest in tech and finance. When I'm not contributing to CCN and traveling around Africa, you can catch me contributing to CNN Africa, or in the writers room at 'The Other News', Nigeria's weekly answer to 'The Daily Show' with nearly 2 million viewers. My work on 'The Other News' was featured in the New Yorker Magazine, and that was then cited in the Washington Post so I'm not sure that counts as a feature but I'll definitely mention it too! I have been nominated by the US State Department to take part in the 2019 Edward R. Murrow Program for journalists under the International Visitors Leadership Program. I also like hamsters. You can reach me on Twitter at _David_Hundeyin