The Dapp developer called Level K posted a public disclosure yesterday warning of a possible malicious activity on the Ethereum platform. It concerns all tokens supported by the Ethereum but especially vulnerable is the GasToken.
The risk comes when an Ether is sent to an address and the system performs arbitrary computations. In that case, the exchange pays an arbitrary sum for computations if it does not have gas risk prevention. When a user sends Ether to an address, he pays for arbitrary computations performed by the address. That is well known, Level K explains, and is called a vector of ‘griefing’. However, the cryptocurrency exchanges do not have proper protection. Here is how he presents the issue regarding the GasToken:
GasToken, which takes advantage of the refund mechanism on storage in Ethereum, allows users to store gas when the gas price is low and receive a gas refund when the gas price is high. By minting large amounts of GasToken when receiving ETH, the griefing vector mentioned above can now be a profitable attack.
Level K also posted a list of recommendations to crypto exchanges. He urges them to share contact details for developers to explain the possible risk even in a greater detail. Exposed tokens are the ones built on the ERC20 system but also on ERC721, ERC777, and ERC677. Coins that implement these tokens should implement gas restrictions, according to the Ethereum developer Level K.
Attackers may have co-discovered this vulnerability. Review your logs to determine if you have been subject to this attack.
Consider whether similar issues are present on other blockchains, such as Ethereum Classic or EOS, and set appropriate limits.
Consider implementing rate limiting and gas monitoring on withdrawal. Rate limiting is not sufficient to prevent attacks. However, it can help mitigate the issue,
He warns. For a full description of the possible risks, read Level K’s paper. CrispyBull will watch out for attack alarms and will keep following the cryptocurrency market.