The potential gas token security weakness
According to a developer of the dApp Level K and Ethereum Smart contract, they have uncovered the existence of a vulnerability within Ethereum framework that can allow for the minting of large amounts of GasToken when receiving ETH. However, this can seem to become beneficial for the Ethereum Blockchain as sometimes there is a receiving address that ends up without the required amount of gas.
In a publication on November the 21st, the enterprise revealed that there was a weakness that has been flagged to exchanges that are most at-risk and that has been affected its software patches to contain the threat.
The weakness of the Ethereum gas token security makes it vulnerable when ETH is sent to an address, which is then able to carry out the arbitrary computation that has been transmitted. The transactions originator pays for the deliverance of the currency which can come with a few risks of griefing. The ‘griefing’ process is an action from a bad actor which has attached malicious code to that transaction that is designed to cause some damage to the user network. If an exchange has no protection like gas limits in place, in theory, an attacker can make a transaction such as a payment on an exchange that has an arbitrary amount of computation.
This can be solved through the minting of gas while receiving ETH, it is possible in theory that this could become profitable for the bad actor. However, the Gas tokens on the Ethereum Blockchain is to power the ether cryptocurrency. The Risk is also not just limited to ETH, but also includes the Ethereum-based network as those built on the ERC-721 and ERC-20 token program. If an exchange does not set a gas limit for transactions with these tokens it can end up paying for an amount of computational power that is ineffective.
According to an excerpt from the material published by Level K that explains the threat using a hypothetical case study reads:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fee out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bod also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
The Level K explained that exchanges were potentially affected by the vulnerabilities of the program were notified privately on November the 13th. However, the because it was not possible to know which one had no protection in place for sure the notification was then sent to as many exchanges as possible which they have now implemented patches that will fix this problem. Level K has also recently published further information regarding these threats and the actions that can be taken in order to contain it.
What is your opinion on these matters of the Ethereum network? Please feel free to leave your comments down below.