Exchange Bug Discovery Averts Ethereum Token Theft

The discovery of a coding error has brought to light an issue that could put ethereum-based tokens held at exchanges at risk of theft.

AccessTimeIconApr 11, 2017 at 11:00 a.m. UTC
Updated Sep 11, 2021 at 1:13 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A bug discovered last month could have potentially emptied exchange accounts holding digital tokens used to power the ethereum-based distributed application Golem.

However, due to the nature of the bug, it could also have been used on other ethereum tokens listed at the exchange. That's because it used the platform's ERC-20 standard, a feature that has won advocates in the exchange sector due to its ability to reduce the time it takes exchanges to add new coins.

However, a Golem supporter and a GNT holder found the bug on 18th March and reported it to the developer team before it could be used maliciously.

The problem that came to light stems from how exchanges prepare the data for transactions and how Solidity (the ethereum smart contracting language) encodes and decodes the transaction data, according to Golem Factory software engineer Pawel Bylica, who published a report on the issue.

According to his assessment, the service that prepared the data for token transfers assumes a 20-byte long address input, but didn't actually check to ensure that the input was the correct length.

As a result, a shorter address length caused the transaction amount to be shifted to the left, thereby increasing its value.

The Golem user reported a "strange" transaction that gained so much value that it could have emptied the entire exchange GNT account, according to Bylica's post. In fact, he only reason this didn't happen, he said, is that the number was so large that it was impossible for the exchange to complete it.

The bug has now been fixed and Bylica’s team has notified other exchanges of the potential vulnerability.

'Shocked and terrified'

Yet, fears were still stoked by the bug, given it could have been broadly applicable to other exchanges using ERC-20 tokens.

Although Bylica's team has not verified the existence of this vulnerability on other exchanges, he mentioned the potential downsides were serious.

"We were shocked and a little bit terrified to realize the potential consequences of someone taking advantage of that bug for multiple tokens on multiple exchanges," Bylica wrote.

Fortunately, some proposed fixes are relatively simple to implement.

"Simply checking the length of an address provided by a user secures [exchanges] from the described attack," wrote Bylica.

Reddit reactions

The reaction on Reddit ranged from mild outrage to debates on exchanges’ responsibility to provide enhanced security.

"This is basic stuff," wrote user BullBearBabyWhale. "I’m once again amazed how serious business in this space (which is all about security) is not taking it seriously."

For those storing any ethereum-based tokens, including ERC-20 tokens, on an exchange, Reddit user 1up8192 recommended reaching out to the service providers to see if they had checked for the vulnerability.

"Ask your exchange if they know about the possibility of injection and if they resolved the problem," they wrote.

Computer code image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.