A newly discovered vulnerability on Ethereum allowing for malicious GasToken Minting was found. The development team already acknowledged the issue and informed most of the affected users on November 13, 2018, via private disclosure.
Crypto exchanges usually allow the withdrawal of Ethereum to arbitrary addresses with no gas usage limit; since this executes a fall back function, attackers can use this to make exchanges pay for arbitrary computation, allowing them to force exchanges to burn their own Ethereum on high transaction costs. Moreover, this even gives attackers the chance of having financial benefits by minting GasToken.
When Ether is sent, the receiving address can perform arbitrary computations that will eventually be paid by the sender of the transaction. According to the report, this is an already known vector for griefing. In the case of exchanges, if proper security measures are not taken into account, this might put the system at-risk as this ends up to be an attack vector.
Since the GasToken, takes advantage of the Ethereum refund mechanism, it allows users to store gas when the gas price is low and receive gas when the price is high. If an attacker is capable of minting large amounts of GasToken with ETH refunds, the griefing vector becomes a successful attack.
Because it was unknown which exchanges did and did not have the protections in place, the private disclosure was made to as many exchanges as possible, many of which were not at risk. To our knowledge, all affected exchanges that received the disclosure have patched the vulnerability.
According to the disclosure letter, there are two ways to exploit this attack vector:
“In one scenario, an attacker can perform computation in the fallback function of a contract receiving Ethereum from the exchange, or in the transfer functionality of a token listed on the exchange. With the ability to make the exchange pay for large amounts of computation, an attacker can either drain the exchange’s hot wallet (simply by burning gas) or mint GasToken for a potential profit.”
This malicious attack can also be used to exploit other types of contracts. Examples of contracts that run code vulnerable to this attack include ERC721, ERC777, and ERC677 contracts with the functions transferAndCall(), send(), and safeTransferFrom() respectively.
The disclosure letter also left some recommendations on how to avoid this type of attack. Exchanges should consider implement rate limit and gas monitoring on withdrawal.
Contracts that implement ERC721, ERC777 and ERC677 should put restrictions on gas usage when making calls to unknown addresses. Alternatively, warnings should be coded out to alert when an unusually large amount of gas is being used.
Users should also implement reasonable gas limits on all transactions. All transactions should be closely monitored extraordinarily expensive transactions, to ensure that the user bears the cost.
Most withdrawals should be to user (non-contract) addresses and will take 21,000 gas (the minimum an Ethereum transaction can take). Withdrawals to contract addresses may take more gas, but it is easy to calculate the cost or either set an appropriate gas limit or charge the user accordingly.