Level K Ethereum Blockchain dApp Developer Finds New ‘Minting Attack’ Threat with GasToken
According to Level K, a well respected Ethereum Smart contract and dApp development firm, ETH’s intrinsic framework contains vulnerabilities that can potentially allow third-party agents to mint huge volumes of ‘GasToken’ when receiving Ether payments.
Through a blog entry published on Medium late last night, the firm revealed that the aforementioned weakness has now been ‘identified’ and that most of the trading platforms that were at a risk of being affected by this malicious code, have since taken the required measures so as to contain the issue.
A Detailed Look At The Matter
While not a major problem, the vulnerability only crops up when a specific amount of Ether is sent to an address which is “able to carry out arbitrary computations that the transaction originator pays for”. This transaction comes embedded with the risk of something that is known as ‘griefing’– an action that is taken by a nefarious agent so as to cause financial damage to network participants.
In theory, by minting a large amount of GasToken (procured while receiving ETH), it is possible for the above mentioned ‘grief attacks’ to become profitable for a bad actor. If that wasn't enough, this particular risk is not just limited to Ethereum but can also affect a variety of other Ethereum based tokens (like the assets that have been devised using ERC-721 and ERC-20 standards).
Also, in relation to this latest issue, while facilitating ‘contract calls’, exchanges/ trading platforms that do not set a gas limit for transactions with the tokens in question can potentially end up paying vast amounts of computation fees.
More On The Issue
According to some of the material posted by Level K in terms of this latest threat, an individual from the dev team wrote:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
If the folks over at Level K are to be believed, all of the exchanges that were exposed to this problem were notified by the firm earlier this month (on November 13). Additionally, further warnings have been issued to other trading platforms located all across the globe (all of whom seem to have taken the required measures to tackle this problem in a timely and safe manner).