A bug centering around a new Ethereum token, GasToken, which was enabling abuse on cryptocurrency exchanges, appears to have been resolved. The details are provided in a report originally published on November 13, 2018, that discussed how the bug was exploited by attackers, and what digital platforms could do if they wished to protect their hot wallet funds.
[1]
It was unclear which exchanges could or could not be affected by the bug. Thus, private disclosures were issued to “as many exchanges as possible” according to a Medium post[2]. While it was determined that most of these exchanges were not in any danger, all vulnerable exchanges have since instilled the proper protections. At press time, the bug is no longer considered a threat.
According to its website[3], GasToken is an Ethereum-based contract that allows individuals to tokenize the Ethereum network through a special refund mechanism. Users can store gas when the price is low and garner refunds when it’s high.
The website reads, “Every transaction on the network must include some gas, and the fee paid to miners for each transaction is directly proportional to the gas consumed by a transaction. GasToken allows a transaction to do the same amount of work and pay for less gas, saving on miner fees and costs and allowing users to bid higher gas prices without paying correspondingly higher fees.”
The document alleges that many exchanges either enforced no gas usage limits or allowed for the withdrawal of ether to arbitrary addresses. Combined with GasToken’s refund structure, an open doorway was subsequently provided to attackers, who could then mint gas whenever they received ether and make exchanges pay for arbitrary computation.
Attackers could exploit the bug in one of two ways. The first
