Public Disclosure: Malicious GasToken Minting

Level K
Level K
Nov 21, 2018 · 1 min read

This is a public disclosure of a newly discovered vulnerability. Some affected parties have already been notified in a private disclosure that was sent out on November 13th.

When ETH is sent to an address, that address is able to perform arbitrary computations paid for by the originator of the transaction. This is a known vector for griefing. However, in some cases, at-risk systems such as exchanges did not put proper protections in place.

GasToken, which takes advantage of the refund mechanism on storage in Ethereum, allows users to store gas when the gas price is low and receive a gas refund when the gas price is high. By minting large amounts of GasToken when receiving ETH, the griefing vector mentioned above can now be a profitable attack.

Because it was unknown which exchanges did and did not have the protections in place, the private disclosure was made to as many exchanges as possible, many of which were not at risk. To our knowledge, all affected exchanges that received the disclosure have patched the vulnerability.

For more information the full disclosure can be found here.

Level K

Ethereum Smart Contracts and Decentralized Applications

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store