A flaw has been uncovered on the Ethereum network which potentially allows malicious actors to mint large volumes of the GasToken when receiving Ethereum transactions.

Level K is a smart contract and dApp developer for the Ethereum network. Through their work they have discovered a vulnerability in the Ethereum code which potentially allows malicious actors to effectively mint their own GasTokens when they receive an Ethereum transaction. A blog post published yesterday by the company stated that the issue had been made known to the most vulnerable exchanges.

Mint Your Own GasToken

The problem arises when parties transacting on the Ethereum network send the token to each other. When ETH is sent to an address, there is a number of largely arbitrary computations which take place. These are paid for by the transaction’s originator. However, this mechanism can be abused if the malicious actor initiating the transaction knows what they are doing.

A malicious actor can attack a target, such as an exchange which doesn’t have any Gas limits in place, by “griefing”; – arbitrarily damaging the network – using a flaw in the code to mint vast amounts of Gas by incrementally draining the target – i.e. exchange’s – hot wallet.

A Level K document on the topic described it as follows:

“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”

Steps Taken

Level K have published a report on the issue which states they conducted tests themselves to see the process in action and were able to generate 1.75 GasTokens on withdrawal of an undisclosed amount of ETH from an unidentified exchange.

Subsequently they report that they have taken steps to make exchanges which are vulnerable to attack aware of their vulnerabilities. Further to this, on November 2nd 2018, Vitalik Buterin and Hudson Jameson were notified of the issue in order to assist in the disclosure. Level K understand that all of the parties contacted have now instated software patches designed to contain the issue.

Image Source: “Flickr”