On November 21st, researchers revealed a vulnerability in crypto exchange platforms with no gas limit established for outgoing transactions related to Ethereum (ETH) smart contracts. According to a Level K publication, since November 9th, several crypto exchanges have been alerted about this security flaw that could empty their hot wallets by the permanent collection of commissions or gas in Ethereum network.
Level K explained that this is because, in smart contracts (from tokens ERC20, tokens ERC721 like CryptoKitties and others), the receiving addresses are the ones that arbitrarily set the gas limit to carry out a transaction, which is paid by its initiators, in this case, the crypto exchange platforms.
When cryptocurrency exchanges have not established a well-defined gas limit for Ethereum (ETH) smart contracts, malicious users can set high gas costs to process their transactions and withdraw more funds than necessary from the hot wallet used by the exchange platforms. This scenario could be even worse if a crypto trading platform does not have KYC standards.
Crypto Exchange Platforms With No Gas Limit Set On Ethereum (ETH) Transactions Are Vulnerable ToCyber Attacks
Many cryptocurrency exchanges allow the withdrawal of Ethereum (ETH) to arbitrary addresses with no gas limit. Since sending ETH to a contract address performs its backup function, attackers can make these crypto exchange platforms pay for commissions. That allows cyberattackers to force exchange platforms to burn their own Ethereum (ETH) at high transaction costs. Hackers can even benefit economically by using GasTokens.
Keep in mind that GasToken is a smart contract that could be used to further exploit this vulnerability by conducting a “profitable attack.” GasToken functions as a gas bank, the fundamental resource for transactions in the Ethereum network. So, users can buy representative GasToken and store them when this resource is at low prices.
Also, through GasToken, users can benefit from Ethereum (ETH) storage rebate. This rebate only applies to contract transactions, when these remove storage elements that otherwise must be housed in the blockchain. The advantage of this type of reimbursement is that it can represent up to half of the gas in a contract transaction.