Exchange Bug Discovery Averts Ethereum Token Theft

The discovery of a coding error has brought to light an issue that could put ethereum-based tokens held at exchanges at risk of theft.

Apr 11, 2017 at 11:00 a.m. UTC
Updated Sep 11, 2021 at 1:13 p.m. UTC

A bug discovered last month could have potentially emptied exchange accounts holding digital tokens used to power the ethereum-based distributed application Golem.

However, due to the nature of the bug, it could also have been used on other ethereum tokens listed at the exchange. That's because it used the platform's ERC-20 standard, a feature that has won advocates in the exchange sector due to its ability to reduce the time it takes exchanges to add new coins.

However, a Golem supporter and a GNT holder found the bug on 18th March and reported it to the developer team before it could be used maliciously.

The problem that came to light stems from how exchanges prepare the data for transactions and how Solidity (the ethereum smart contracting language) encodes and decodes the transaction data, according to Golem Factory software engineer Pawel Bylica, who published a report on the issue.

According to his assessment, the service that prepared the data for token transfers assumes a 20-byte long address input, but didn't actually check to ensure that the input was the correct length.

As a result, a shorter address length caused the transaction amount to be shifted to the left, thereby increasing its value.

The Golem user reported a "strange" transaction that gained so much value that it could have emptied the entire exchange GNT account, according to Bylica's post. In fact, he only reason this didn't happen, he said, is that the number was so large that it was impossible for the exchange to complete it.

The bug has now been fixed and Bylica’s team has notified other exchanges of the potential vulnerability.

'Shocked and terrified'

Yet, fears were still stoked by the bug, given it could have been broadly applicable to other exchanges using ERC-20 tokens.

Although Bylica's team has not verified the existence of this vulnerability on other exchanges, he mentioned the potential downsides were serious.

"We were shocked and a little bit terrified to realize the potential consequences of someone taking advantage of that bug for multiple tokens on multiple exchanges," Bylica wrote.

Fortunately, some proposed fixes are relatively simple to implement.

"Simply checking the length of an address provided by a user secures [exchanges] from the described attack," wrote Bylica.

Reddit reactions

The reaction on Reddit ranged from mild outrage to debates on exchanges’ responsibility to provide enhanced security.

"This is basic stuff," wrote user BullBearBabyWhale. "I’m once again amazed how serious business in this space (which is all about security) is not taking it seriously."

For those storing any ethereum-based tokens, including ERC-20 tokens, on an exchange, Reddit user 1up8192 recommended reaching out to the service providers to see if they had checked for the vulnerability.

"Ask your exchange if they know about the possibility of injection and if they resolved the problem," they wrote.

Computer code image via Shutterstock

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Terra lanzaría su snapshot esta semana: cómo serán distribuidos los 'nuevos' LUNA

El suministro de tokens en la nueva blockchain será de poco más de $116 millones, dijeron los desarrolladores.

El suministro de tokens en la nueva blockchain será de poco más de $116 millones, dijeron los desarrolladores.

CoinDesk - Unknown
2
CoinDesk - Unknown
Binance to Advise on Crypto Strategy as Kazakhstan Looks to Boost Industry

The country known as a bitcoin mining hub is trying to attract more crypto firms and broaden the industry.

The country known as a bitcoin mining hub is trying to attract more crypto firms and broaden the industry.

CoinDesk - Unknown
3
CoinDesk - Unknown
Why Is South Korea Throwing Money at the Metaverse?

South Korea’s “Digital New Deal” is flooding the country’s tech industry with billions of dollars in grant money in the hopes of creating 2 million new jobs. This article is part of "Metaverse Week."

South Korea’s “Digital New Deal” is flooding the country’s tech industry with billions of dollars in grant money in the hopes of creating 2 million new jobs. This article is part of "Metaverse Week."

CoinDesk - Unknown
4
CoinDesk - Unknown
As Bitcoin Price Slides, Older Mining Rigs Are Becoming Less Profitable

Even as Bitcoin's mining difficulty adjusts downward, the price trend might spell a crisis for retail miners. On the other hand, it could be an opportunity for those looking to buy rigs.

Even as Bitcoin's mining difficulty adjusts downward, the price trend might spell a crisis for retail miners. On the other hand, it could be an opportunity for those looking to buy rigs.

CoinDesk - Unknown