A newly discovered vulnerability in the GasToken token, which runs on the Ethereum blockchain, could allow hackers to withdraw funds from exchange hot storage wallets, or even counterfeit tokens for profit.
According to a recently published study, this vulnerability mainly affects exchangers that have not set a withdrawal limit. The study explains:
The most primitive attack scenario is that Vasya has an exchanger that Petya wants to hack. Petya can request a transfer of funds from his wallet to a contract address that he controls. If Vasya neglected to set a reasonable limit on ETH, he will pay a transaction fee from his hot wallet. Having carried out a sufficient number of transactions, Petya can empty Vasya’s wallet.
If the exchanger does not use KYC technology, a hacker can bypass the withdrawal limit. A more skilled attacker could even impose a “tax” on transactions, and create their own token for profit.
Notably, the vulnerability only affects those who initiate Ethereum transactions, and not those who process them. Therefore, decentralized cryptocurrency exchanges like ForkDelta and other exchangers that work with smart contracts that process user-initiated transactions will not be affected by the bug.
It is currently unknown how many exchangers are affected. According to the researchers who discovered the vulnerability, they contacted each potentially affected exchange before publishing the information.
Exchanges were advised to set a “reasonable gas limit” during withdrawals. The researchers also advised potentially affected platforms to review their logs, as attackers could have discovered this vulnerability a long time ago.
The paper notes that other blockchains, like EthereumClassic and EOS, may also be affected by the bug.
This is not the first critical error discovered this year. In March of this year, a bug was fixed that allowed Coinbase users to credit themselves with an infinite amount of Ethereum.
According to www.cryptoglobe.com
You May Also Like
A French store selling digital equipment will accept payments in Ethereum
The GrosBill store announced that its customers will soon be able to pay for purchases using Ethereum. The management also said that other digital currencies will not be introduced as a means of payment for now.
DIY block scanner (Blockchain explorer): a little theory
In the last article we looked at the reasons why we might need our own blockexplorer. I note that this list is far from complete, but we will assume that we have decided - we need our own source of data about transactions and their connections with addresses.
