Over $1 Billion ERC20 Token Smart Contracts At Risk Of Facing A ‘Fake Deposit Attack’
- Over $1.1 billion stored on “incorrectly implemented” smart contracts faces a ‘cheap’ attack.
- The “Fake Deposit Attack” affects both centralized and decentralized exchanges.
- Is there a solution to prevent this attack?
The research, conducted in a combined effort from the Beijing University of Posts and Telecommunications, Peking University in Beijing, Zhejiang University (Hangzhou, China) and the University of Queensland, Australia, raises the alarm on the scale and impacts of the “Fake Deposit Vulnerability” present in ERC-20 smart contracts.
The vulnerability arises from the incorrect implementation of ERC-20 token smart contracts (missing a critical standard protocol update released in 2017) and deficient techniques of verification on centralized (CEX) and decentralized (DEX) crypto exchanges.
The research team developed DEPOSafe, an automated tool that detects the vulnerability, scouring through 172,000 ERC-20 contracts, and identifying over 7,700 contracts facing a breach. These contracts hold over $1 billion in users’ funds and could see a hacker manipulate the smart contracts and drain exchanges off these funds. The crazy part is that the hacker needs only a small amount of tokens to carry out the massive attack.
The ERC-20 vulnerability explained
The hack is present on ERC-20 smart contracts that are yet to implement the Ethereum Implementation Protocol (EIP) 20 – EIP20 – which was introduced in 2017 by Ethereum co-founder, Vitalik Buterin and Fabian Vogelsteller. This improvement “allows any tokens on Ethereum to be re-used by other applications: from wallets, CEX, and decentralized exchanges.”
Smart contracts that are yet to implement the protocol used conditional programming statements (CPS) to check for insufficient token balances instead of assertion statements. If the token balance is low, the CPS transfer shows “return False,” preventing the transaction from being terminated. This opens up a gap between the actual transaction and what the developer plans providing an opportunity for attack.
Exchanges that do not check their security verification after accepting such a smart contract on its accounts also contributes heavily to a successful attack. An inadequate backend security verification on deposits made to CEXes is the first vulnerability that arises from exchanges. Here, the attacker exploits the “_to” and “_value” fields on ERC-20 smart contracts without 2017 EIP20 to send as many tokens as they wish to their accounts after “return False” function doesn’t terminate the transfer.
A decentralized exchange with weak security checks also faces a similar attack whereby the “depositToken” function can tell the “transferFrom” function how many tokens to transfer into the attacker’s wallet.
A closer look at the affected projects
The research names the top five most vulnerable projects to the attack on both CEX and DEX exchanges. The vulnerable coins with the highest trading volume on decentralized exchanges include CloudBric, MovieCredits, BullandBear, LOVE, and EtherDOGE. Despite the coins only showing little activity in trading, the research states that a continuation of trading on these tokens could accelerate the possibility of the hack. The three main DEXes in danger are IDEX, DDEX, and EthDelta – which rectified its security verification in July.
The ‘Type 1’ attack – arising from ERC20 smart contracts – however, only contributes to a small percentage of the possible attacks in comparison to ‘Type 2’ attacks on centralized exchanges. Over 99% of the 7,772 token contracts studied are vulnerable to be attacked due to insufficient security verification by CEXes.
Tokens such as Baer Chain’s BRC token, the Brave privacy web browser’s Basic Attention Token (BAT), the Huobi Chinese cryptocurrency exchange’s HPT token, the Rocket Pool Ethereum app service’s RPL token, and the Power Ledger electrical grid blockchain’s PWR token represent the top-five vulnerable tokens on CEXes with the highest market capitalization.
The researchers did not give any other tokens vulnerable to the attack due to security reasons.
A solvable problem?
ERC20 smart contracts are irreversible; hence tokens such as BAT and Power Ledger have little to do to reverse the problem. Here’s where centralized and decentralized exchanges come in. According to Vogelsteller, cryptocurrency exchanges should increase their security verification procedures for tokens that face the vulnerability and blacklist any malicious token contracts on their platform.
Lei Wu, an assistant professor at the Zhejiang University, suggested smart contract developers build smart proxy contracts to allow them to replace old Ethereum-based smart contracts. However, this also has its security problems.
Finally, new smart contract developers are urged to implement protective smart contract procedures such as the EIP20 to prevent such attacks in the future.
The research also mentions that the “Fake Deposit Vulnerability” is also present on other smart contracts such as Tether (USDt) and EOSIO.