Level K, a smart contract and decentralized application development company, has discovered a critical security weakness in the Ethereum blockchain. The vulnerability would have allowed an attacker to reward himself large amounts of GasToken when receiving Ethereum’s native cryptocurrency ETH. It is still not clear how many exchanges have been possibly affected by the bug. Also, there is no report that hackers have successfully exploited the weakness to mint GasToken.
According to a Medium post published Nov. 21; many exchanges have been notified privately about the vulnerability. The disclosure urged all the parties to review their logs to determine whether they have been affected by this attack. The disclosure reads in part:
“Many exchanges allow the withdrawal of Ethereum to arbitrary addresses with no gas usage limit. Since sending Ethereum to a contract address executes its fallback function, attackers can make these exchanges pay for arbitrary computation. This allows attackers to force exchanges to burn their own Ethereum on high transaction costs. Attackers may even benefit financially by mining TokenGas.”
As per the report, an address can carry out arbitrary computations at the cost of the person who initiated the transaction, when ETH is sent to that address. Therefore, it would be possible for such an attack to become profitable for the dishonest party.
The disclosure also stated that this bug doesn’t affect exchanges that process Ethereum transactions. Only those who initiate Ethereum transactions are affected.
The researchers discovered the security vulnerability last month. They immediately notified the founders of GasToken, and several parties that could have been attacked by it.
The discovery of this vulnerability is a clear sign the blockchain is not as safe as people think. Early this year, a group unearthed a security weakness in crypto exchange Coinbase, which allowed bad actors to steal unlimited amount of ETH.
You can read the full report here.