A newly discovered vulnerability in the GasToken token, which runs on the Ethereum blockchain, could allow hackers to withdraw funds from exchange hot storage wallets, or even counterfeit tokens for profit.
According to a recently published study, this vulnerability mainly affects exchangers that have not set a withdrawal limit. The study explains:
The most primitive attack scenario is that Vasya has an exchanger that Petya wants to hack. Petya can request a transfer of funds from his wallet to a contract address that he controls. If Vasya neglected to set a reasonable limit on ETH, he will pay a transaction fee from his hot wallet. Having carried out a sufficient number of transactions, Petya can empty Vasya’s wallet.
If the exchanger does not use KYC technology, a hacker can bypass the withdrawal limit. A more skilled attacker could even impose a “tax” on transactions, and create their own token for profit.
Notably, the vulnerability only affects those who initiate Ethereum transactions, and not those who process them. Therefore, decentralized cryptocurrency exchanges like ForkDelta and other exchangers that work with smart contracts that process user-initiated transactions will not be affected by the bug.
It is currently unknown how many exchangers are affected. According to the researchers who discovered the vulnerability, they contacted each potentially affected exchange before publishing the information.
Exchanges were advised to set a “reasonable gas limit” during withdrawals. The researchers also advised potentially affected platforms to review their logs, as attackers could have discovered this vulnerability a long time ago.
The paper notes that other blockchains, like EthereumClassic and EOS, may also be affected by the bug.
This is not the first critical error discovered this year. In March of this year, a bug was fixed that allowed Coinbase users to credit themselves with an infinite amount of Ethereum.
According to www.cryptoglobe.com
You May Also Like
Bitfinex paid $23.5 million for a $100,000 transaction
Crypto exchange Bitfinex conducted a transaction with a record high commission on the Ethereum blockchain.
US regulators are looking into Ethereum
US federal regulators are currently studying whether Ethereum can be considered a security. According to the Wall Street Journal, regulators at the Securities Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) are examining whether many cryptocurrencies - not just ICOs - should be regulated under federal securities laws.
