Gas is liquid gold. Back in February 2022, we found a way to abuse a feature called “Gasless Deposits” on dYdX exchange that could allow calling arbitrary contracts literally at the expense of dYdX (dYdX pays for the gas fee). We were then able to demonstrate how to convert free transactions into actual money.
What is Gasless Deposits?
On Ethereum, gas fees are paid in Ether and all transactions need gas. If there’s no Ether in a wallet, there’s no way to send any transactions from it.
There are ways to circumvent it. The idea is a wallet owner can sign a transaction, and a third-party (called relayer) can relay the transaction and cover the gas cost. This is called a Meta Transaction. The result is a seamless experience for new onboarding users.
dYdX Introduced Gasless Deposits with the very same idea. This features integrates with Biconomy, a company that specializes in providing gasless transactions to applications. dYdX deposits ETH into a Biconomy wallet (called gas tank), and Biconomy acts as a relayer to send meta transactions that deposit users’ USDC into dYdX’s L2 chain. The gas fees are deducted from the gas tank.
Bypassing Destination Whitelist
To prevent misuses, Biconomy supports whitelisting the transaction destination. dYdX whitelisted the CurrencyConvertor contract that handles deposits to L2. That means free transactions are only able to call that contract. However, functions depositERC20 and depositEth take a user controlled adderss exchangeProxy, and call proxyExchange on it as an external call. This means anyone could abuse exchangeProxy to call any contracts for free!
function depositERC20(
IERC20 tokenFrom,
uint256 tokenFromAmount,
uint256 starkKey,
uint256 positionId,
I_ExchangeProxy exchangeProxy,
bytes calldata exchangeProxyData,
bytes calldata signature
)
external
nonReentrant
whenNotPaused
returns (uint256)
{
address sender = _msgSender(); [...] // Swap token.
exchangeProxy.proxyExchange(exchangeProxyData); [...]
}
Reselling Free Gas
Free transactions are great. But is there a way to get the most out of them?
In 2020, 1inch introduced Chi Gastoken:
A Gastoken takes advantage of the Ethereum storage refund. To encourage smart contracts to erase unnecessary storage, Ethereum provides a refund for each zeroed element. So, in the process of burning, a Gastoken’s smart contract erases storage that were filled during minting.
In a nutshell, a Gastoken turns unused gas into a tradable, burnable token that be redeemed to gas. Gastokens were heavily used by sandwich bots because they could be minted when the gas price on the network was low.
An attacker can take advantage of the free transactions to mint Chi and sell it on the market.
The bad news for the attacker is that the maximum daily spending of dYdX’s Biconomy account is 0.5 ETH. Hence the title of this article.
Timeline
Feb 2022 — Issue reported to dYdX
May 2022 — dYdX awarded $25k for the issue
