New evidence reveals a vulnerability that could harm exchanges which allow withdrawing Ethereum to arbitrary addresses without setting any gas usage limit.

When sending ETH to some smart contract address, the address can use the transaction to conduct computations. The result is that the sender will pay for the gas of these computations.

In case the sender didn’t define gas usage limit the address could perform an enormous amount of calculations and exploit the sender’s gas.

The attacker can exploit this breach to conduct some heavy computations in the fall-back function of the contract that receives the Ether tokens from the exchange. This kind of attack might result in draining the exchange’s hot wallet.

The attacker can also mint GasToken, which is an Ethereum smart contract that allows the user to tokenize gas on the Ethereum network. The idea here is to store gas when its price is low and use it when it becomes expensive. In this kind of attack, the attacker will send the Ether from the exchange directly to a GasToken contract where he will be able to mint GasToken.

A recent private disclosure was sent to various crypto exchanges a week ago. According to the disclosure, all the exchanges that could have been harmed have solved and patched the breach.

Ethereum’s History of Exploits

Even though Ethereum was born only in the summer of 2015, it already has a rich history of exploits. Among those, we can mention The DAO and Parity. Right after the DAO token sale has ended, which raised the highest amount back then, the attacker drained nearly 3.5 Million ETH, which worth $50 million at that time. The DAO case resulted in an immediate decline of around 30% in the ETH value, and was the reason for the hard fork to Ethereum Classic (ETC). Another famous exploit was the Parity wallet. The attacker stole 150,000 ETH worth $30 Million.

Enjoy reading? Please share: