Gas Token, the exchange currency of Ethereum, is found to have a major flaw. An exchange development company exposed the bug that makes it possible to drain large reserves from exchanges as payments for massive computations. Any Ethereum Cryptocurrency Exchange might be in a potential risk because hackers might withdraw large sums of Gas Tokens to any random address using this flaw. Apparently, an attacker can make any user or exchange transfer any amount of Gas or Ethereum to an address. The origin of this vulnerability is in the fact that Gas Tokens can be transferred to a random address and it can be used to implement computations on the account of the originator of the transaction.
An attacker can withdraw any funds from an exchange or a user using a fallback function if the former has not set up any limit on the amount of Gas Tokens in each transaction. The amount required to compute the function will be paid from the wallet of the exchange. Using this technique, the attacker can withdraw any amount to multiple accounts incurring a huge heist in the exchange. An attacker can also mint Gas Tokens using the funds from the user or Ethereum Cryptocurrency Exchange
Read: The Ethereum DAO Attack Episode
Exchanges or users who initiate Ethereum transactions without setting a limit are exposed to this issue. Any entity that processes the transaction including Decentralized Exchanges and Relay Services does not have to worry. However, the problem is not only with Ethereum but also in Ethereum based tokens like ERC 20 and ERC 721. Thus, any entity that initiates Ethereum and Ethereum based tokens without setting any predefined limit on transactions are exposed to this bug.
Any Ethereum Cryptocurrency Exchange that has no limitation of the type of address is more vulnerable because, such exchanges can be forced to send currencies to a smart contract address, rather than a wallet. In this case, exchanges might loss huge amounts, as the Smart Contract could be used to drain computational power. Moreover, the popularity of Ethereum blockchain has put a large number of stakeholders into a jeopardy.
Ethereum is among the most popular blockchain in terms of application development. The vulnerability of the system might impact the industry strongly. Since the launch of Ethereum in July 2015, there have been around 30 million Ether transactions across the globe. This volume of transaction is the evidence of its popularity and raising use cases as a platform for automated transactions, primarily as social media and in supply chain management. Half of the transactions so far is in Decentralized Exchanges, of which Etherdelta and IDEX are the major ones. Ethereum based exchange, IDEX has a trading volume of 209 BTC daily, accounting to more than a million US dollars each day.
Ethereum Smart Contracts are being used as ICOs apart from Exchanges. 40% of the transactions are in ICOs based on ERC 20 Tokens. There are several top Ethereum based tokens like EOS, Tron and OmiseGo. EOS has a record sale of 4 billion within a single year of its release. The rest 10% transactions in Ethereum Blockchain comprises of Crypto-collectibles, facilitated by networks like Cryptokitties.
Per experts, even if exchanges might have already lost some amounts being exposed to the attack, they can defend without much issues. The only thing they need to do is implementing a reasonable Gas limit on withdrawal. Exchanges are advised to set their Gas limit to 21,000gWei, which is the minimum limit for any Ethereum transaction. Exchanges must take extra precaution while making a transaction to random addresses. There are several other effective measures apart from setting withdrawal limits such as KYC procedures. Exchanges and users should also immediately start monitoring their Gas transactions on withdrawal. Some cryptocurrency exchange developers are already taking a precautionary step to eradicate such bugs.