Level K, the smart contract and dApp developer of Ethereum has identified a vulnerability on the Ethereum platform which enables malicious entities to mint a substantial amount of GasToken when receiving ETH.
The vulnerability arises when ETH is sent to an address, and then the address performs arbitrary computations which were paid for by the originator of the transaction. This comes with a potential risk of ‘griefing’ – an action by a bad actor aimed to harm the network and its users. Theoretically, an attacker can make a transaction originator such as an exchange, pay for an arbitrary amount of computation if the exchange is not equipped with proper protections, like gas limits. There are a couple of exchanges which allow Ethereum to be withdrawn to arbitrary addresses with no gas usage limits. This allows attackers to compel exchanges to burn their own Ethereum on high transaction costs, while they benefit financially by minting gas token. The griefing vector thus becomes a profitable attack.
The griefing attack does not include ETH only. It encompasses all Ethereum-based tokens built on the ERC-721 and ERC-20 platforms. Sometimes exchanges make contract calls to perform transfers without setting a gas limit. In such cases also, they end up paying for arbitrary amounts of computation and face dire consequences as mentioned above.
The threat, however, affects only those exchanges which initiate Ethereum transactions and not the ones which process such transactions, according to Level K’s document explaining the bug. Ethereum Classic and other EVM-based blockchains (e.g., POA network) may be affected. But, DEXs and other smart-contract-based exchanges are not affected.
The document further elaborated on the bug by including a simple case study, “Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet. Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
“A more sophisticated Bob might control the code for a token listed on Alice’s exchange, either because the token is an upgradeable contract or because Alice’s exchange automatically lists tokens. Transfers of this token may occur via the transfer function. If Bob updates that function to perform the same expensive computation as described above, then Alice’s exchange will pay the cost on every transfer of that token.”
The document details certain recommendations for exchanges.
— Implement reasonable gas limits on all transactions. If any high cost incurring transactions are made, users must be made to bear the cost.
— Fees for a given withdrawal should always cover the gas required.
— Direct most of the withdrawals to user (non-contract) addresses. It will take around 21,000 gas (the minimum an Ethereum transaction can take). Withdrawals to contract addresses may require more gas, but it is easy to calculate the cost of such a withdrawal, and either set an apt gas limit or charge the user according to the gas used.
— Review the logs to determine if they have been attacked.
— Consider if same issues exist on other blockchains, such as Ethereum Classic or EOS, and then set limits accordingly.
— Implement rate limiting and gas monitoring on withdrawal.
— Monitor if the primary GasToken contract is adequate to tackle this attack. If not, new GasToken contracts having the same gas storage properties as the original can be included.
— Contracts that implement ERC721, ERC777, and ERC677 should put limitations on gas usage when making calls to unknown addresses. On the other hand, the front-end of decentralized applications that use these contracts can warn users whenever an unusual amount of gas is utilized.
According to Level K, around a week ago, private notifications were sent to exchanges seemingly affected by the bug and also to those who were not at risk. Most of the exchanges fixed the problem from their end.