The vulnerability is capable of executing arbitrary computations when an amount of ETH is delivered to a wallet address, which Level K identifies as a vector for griefing. The vulnerability is able to mint a sizeable quantity of GasToken which makes griefing a rewarding attack.
Most exchanges are said to have patched up the bug after receiving a private disclosure from Level K.
We will shortly disclose a security issue that could potentially cause exchanges a loss of funds. In order to receive advance notice prior to disclosure, please add your name to the following list via pull request, or by DM’ing @trailofbits or @levelk_io: https://t.co/2Y5niurffl— Level K (@levelk_io) November 9, 2018
A Laconic on Griefing
This kind of attack affects ERC721 and ERC20, and extensions such as ERC777 and ERC677 tokens.
Griefing is the probability of risk of attacks which take advantage of exchanges, or other transaction starting points, that do not have protections, such as gas limits, in place. This induces exchanges to burn ETH on excessive transaction costs, while the attacker reaps the rewards by minting gas tokens.
The recommendations from the full disclosure document include a reasonable gas limit on all transactions, monitoring of GasToken contracts, and restrictions on gas usage for ERC721, ERC777, and ERC677 contracts.
The Biggest Bugs of 2018
Three of the this year’s most critical bugs are Bitcoin ABC’s SIGHASH_BUG, Bitcoin Core’s Denial-of-Service vulnerability, and Monero Core’s burning bug.