A bug centering around the Ethereum-based GasToken that paved the way for abuse on cryptocurrency exchanges has been fixed.
How Did It Work?
The bug made it possible for hackers to force exchanges into paying very high fees, though at press time, it’s unclear which exchanges lacked the specific security means to prevent the problem from expanding. Additionally, the hackers could potentially exploit the bug to garner profits.
The issue was discovered by a group of cryptocurrency researchers, who later issued private messages to “as many digital exchanges as possible.” The platforms later implemented the appropriate security measures to disrupt the bug and end the threat once and for all.
You Need to Get Strict
Many exchanges, the researchers discovered, were not implementing appropriate limits on GasToken utilization or on how many tokens could be sent to random addresses. Thus, upon the completion of a transaction, the hackers could potentially force the exchanges into paying very high amounts for ongoing computation and then drain the exchanges’ reserves. They could also mint new GasTokens if they wanted (minting is the process of creating entirely new coins for a profit).
Hackers could also enforce high fees on users engaging in business with random accounts. On a positive note, not all exchanges were made vulnerable to the bug, as it was initially reported that only exchanges taking part in Ethereum-based transactions could be victimized.
Very Few Could Be Affected
This was later narrowed down to exchanges that initiated such transactions, not those that processed them, which made for a limited number of platforms that could be affected. Decentralized exchanges (DEXs) and those that utilized smart contracts to process users’ money transfers, for example, could not be attacked.
The bug was first discovered in late October. The researchers then went on to inform those who could be affected, advising that they implement “reasonable gas limits on all transactions” to defend against the possibility of a threat. At the time of writing, the exchanges have implemented the necessary defenses and the problem is now null and void.
This Looks Familiar
This isn’t the first time Ethereum has opened the door to malicious activity. Early this year, research staffers discovered a vulnerability in Coinbase that allowed users to reward themselves with virtually unlimited amounts of ether tokens. In addition, a flaw in Monero’s wallet system allowed users to potentially steal XMR from digital exchanges.
To learn more about the recent bug, click here.
Will we continue to see issues like these in the future? Why or why not? Post your comments below.