A newly discovered vulnerability in the GasToken token, which runs on the Ethereum blockchain, could allow hackers to withdraw funds from exchange hot storage wallets, or even counterfeit tokens for profit.
According to a recently published study, this vulnerability mainly affects exchangers that have not set a withdrawal limit. The study explains:
The most primitive attack scenario is that Vasya has an exchanger that Petya wants to hack. Petya can request a transfer of funds from his wallet to a contract address that he controls. If Vasya neglected to set a reasonable limit on ETH, he will pay a transaction fee from his hot wallet. Having carried out a sufficient number of transactions, Petya can empty Vasya’s wallet.
If the exchanger does not use KYC technology, a hacker can bypass the withdrawal limit. A more skilled attacker could even impose a “tax” on transactions, and create their own token for profit.
Notably, the vulnerability only affects those who initiate Ethereum transactions, and not those who process them. Therefore, decentralized cryptocurrency exchanges like ForkDelta and other exchangers that work with smart contracts that process user-initiated transactions will not be affected by the bug.
It is currently unknown how many exchangers are affected. According to the researchers who discovered the vulnerability, they contacted each potentially affected exchange before publishing the information.
Exchanges were advised to set a “reasonable gas limit” during withdrawals. The researchers also advised potentially affected platforms to review their logs, as attackers could have discovered this vulnerability a long time ago.
The paper notes that other blockchains, like EthereumClassic and EOS, may also be affected by the bug.
This is not the first critical error discovered this year. In March of this year, a bug was fixed that allowed Coinbase users to credit themselves with an infinite amount of Ethereum.
According to www.cryptoglobe.com
You May Also Like
The Ethereum network is again overloaded due to a powerful spam attack
The Ethereum network is once again experiencing what appears to be a spam attack. A single address sends and receives transactions, consuming 24.85% of all Ethereum traffic. In the past, similar activity has been associated with airdrops or transactions from other projects, but this time it looks like a targeted spam attack.
Code testing begins for the next Ethereum hard fork
Constantinople, the next system update for the Ethereum network. The hard fork should lead to increased efficiency and lower fees across the entire network and will be launched ahead of the Devcon 4 Ethereum conference in October.
