Level K, a group of Ethereum decentralized applications (dAPPs) and smart contract developers has spotted a vulnerability to exploit the Gas Tokens. In an official blog post on Wednesday, November 21, the company has uncovered a weakness in the Ethereum framework which allows bad players to mint large number of Gas Tokens while receiving ETH.
The Level K developers say that exchanges are at a major risk as the vulnerability could be exploited in case of withdrawing ETH tokens from the trading platforms.
The blog post explains: “Many exchanges allow the withdrawal of Ethereum to arbitrary addresses with no gas usage limit. Since sending Ethereum to a contract address executes its fallback function, attackers can make these exchanges pay for arbitrary computation. This allows attackers to force exchanges to burn their own Ethereum on high transaction costs”.
Exploiting of the Vulnerability by Bad Players
Moreover, by performing dubious calculations, the attacker can also decide to burn the entire store of ETH done by the exchange. Or possibly, it can use ETH to get more number of Gas Tokens. Gas Token is a technology that allows users to store gas for the future.
Many exchanges have protection mechanisms put in place. This can be in the form of withdrawal limits or KYC which can direct the exchange back to the wrong doer. However, one loophole is that exchanges don’t have any limit on the type of addresses. In such case, the bad players can force them to send the ETH to smart contract address instead of the wallet address.
Level K explains this with a example in a material published by its researchers highlighting this vulnerability.
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
Level K warns that exchange should immediately check logs for any dubious withdrawals. Furthermore, it suggests exchanges to have gas limits at the minimum requirement of 21,000 gWei.
“Consider implementing rate limiting and gas monitoring on withdrawal. Rate limiting is not sufficient to prevent attacks. However, it can help mitigate the issue,” warned Level K.