Developer Finds Security Issue on the Ethereum Platform

Developer Finds Security Issue on the Ethereum Platform

DApp developer, Level K, released a public disclosure on a newly detected vulnerability involving minting of GasToken across Ethereum

Many exchanges allow the withdrawal of Ethereum to arbitrary addresses with no gas usage limit… attackers can make these exchanges pay for arbitrary computation

Gas Token Minting Wallet Disclosure by Level K, Trail of Bits, and IC3

The vulnerability is capable of executing arbitrary computations when an amount of ETH is delivered to a wallet address, which Level K identifies as a vector for griefing. The vulnerability is able to mint a sizeable quantity of GasToken which makes griefing a rewarding attack.

Most exchanges are said to have patched up the bug after receiving a private disclosure from Level K.

A Laconic on Griefing

This kind of attack affects ERC721 and ERC20, and extensions such as ERC777 and ERC677 tokens.

Griefing is the probability of risk of attacks which take advantage of exchanges, or other transaction starting points, that do not have protections, such as gas limits, in place. This induces exchanges to burn ETH on excessive transaction costs, while the attacker reaps the rewards by minting gas tokens.

Recommendations

The recommendations from the full disclosure document include a reasonable gas limit on all transactions, monitoring of GasToken contracts, and restrictions on gas usage for ERC721, ERC777, and ERC677 contracts.

The Biggest Bugs of 2018

Three of the this year’s most critical bugs are Bitcoin ABC’s SIGHASH_BUG, Bitcoin Core’s Denial-of-Service vulnerability, and Monero Core’s burning bug.

Share
By continuing to browse, you agree to the use of cookies. Read Privacy Policy to know more or withdraw your consent.