Level K, a dApp developer has revealed a bug in the code of the Ethereum-based Gas Token that could be exploited by malicious users.
The revelation came through a blog post made by the firm on November 21 in which it wrote that malicious users could take advantage of the buy to mint large volumes of ether while receiving payments from exchanges.
It revealed that at-risk entities are mainly exchanges, saying most have already been notified of the vulnerability for which they have taken action.
Gas Token on which the flaw was found in October was duly informed even though there was no information on the exchanges that are supporting the platform.
Hackers Minting Money Out of Thin Air
What is obvious is that hackers would be able to set very high fees for exchanges that do not set gas limits for transactions. It would have been good business for the hackers since they would have literally minted money out of thin air.
The vulnerability which was described as ‘griefing’ arises when a hacker exploits a weakness that becomes apparent when a wallet is sending ether.
Explaining scenario under which the exploit could occur, the Level K release stated:
“In the simplest exploit scenario, Alice runs an exchange, which Bob wants to harm. Bob can initiate withdrawals to a contract address he controls with a computationally intensive fallback function. If Alice has neglected to set a reasonable gas limit, she will pay transaction fees out of her hot wallet.
“Given enough transactions, Bob can drain Alice’s funds. If Alice fails to enforce Know Your Customer (KYC) policies, Bob can create numerous accounts to circumvent single-account withdrawal limits. In addition, if Bob also wants to make a profit, he can mint GasToken in his fallback function, and make money while causing Alice’s wallet to drain.”
According to the release, the hacker could theoretically mint gas token in guise of legitimate fees the exchange is paying for sending the token. This will especially be profitable when exchanges are targeted since they routinely send the digital currency.
With the gas fees fixed by the hackers, exchanges that do not peg their gas fees could be made to pay far higher than they anticipated.
Gas Token will be taken advantage of by the malicious actors to benefit from the vulnerability.
Ethereum Platforms May Be Vulnerable
The release further stated that the vulnerability is not limited to the platform. It stated that tokens that are based on Ethereum platform such as ERC 20 and ERC 721 could be prone to the attack.
It continued that exchanges that do not set contact limits would be the primary target.
Fortunately, the bug was found by benign actors (assuming there are no bad actors using it prior to discovery). This is one of the challenges of blockchain coding which brings to fore the challenges blockchain faces. Just a bug is capable of wrecking devastation on the network when exploited by bad actors.
As at the time of report, there is no indication of the number of exchanges that have been affected by the loophole, nevertheless Level K sent the notification to all the major exchanges since there was no way to ascertain if they were capping their gas fees during transactions.
If the bug has been discovered earlier by cyber criminals, it is certain that they have been exploiting it for some time.
In the meantime, necessary actions have been taken to contain the bug as seen in the full report provided by Level K.
The vulnerability was discovered early in October but the team had quietly worked in the background to ensure that it was quietly contained.
A review of the Gas Token website stated that it is a tokenization platform on which users of the Ethereum Network can tokenize gas, the Ethereum network’s transaction fee measurement system.
According to the site, the essence of the gas token is to enable investors to store gas when it is cheap and use when it costs more.
The platform may have been inspired from the events of Q4 of 2017 when gas prices spiked on the Ethereum network mainly due to congestion caused by the launch of such decentralized apps such as Crypto Kitty.
The site content said,
“Gas is a fundamental resource in the Ethereum network. Every transaction on the network must include some gas, and the fee paid to miners for each transaction is directly proportional to the gas consumed by a transaction.
“GasToken allows a transaction to do the same amount of work and pay for less gas, saving on miner fees and costs and allowing users to bid higher gas prices without paying correspondingly higher fees. Using GasToken on an eligible transaction, you can save money on the Ethereum network today.”
The site said that the Gas token takes advantage of the storage refund in Ethereum. It highlighted that Ethereum gives a refund when a storage element is deleted.
Save Data and Mint Token At Gas Token
Explaining how the system works, the Gas Token team said,
“The way GasToken works is simple: you create (or mint) GasToken tokens by saving data into the GasToken contract’s storage, when gas prices are low.
When gas prices are high (during an ICO, during peak hours, whatever), you spend (or free) GasToken tokens by sending them back to the GasToken contract for destruction, freeing up the data saved in an earlier step.
This new transaction now gets a refund, making it much cheaper to execute than the same transaction that doesn’t use GasToken.”
Experince has shown that every blockchain project must be thought through in terms of economy, technicalities and logic. The absence of any of these and associated components are generally exploited by malicious actors who seem to actively seek out such flaws.
That the project has on its operational path-way a mechanism by which it mints token is enough incentive for hackers to painstakingly seek out ways to find a weak link in the code.
Such occurrences are not uncommon whenever codes are involved. That digital currencies are valuable means that we will keep seeing these weaknesses and attempts at exploits unless the industry lays emphasis on thoroughness in fewer projects instead of proliferation of many exploitable projects .