Exchange Bug Discovery Averts Ethereum Token Theft

The discovery of a coding error has brought to light an issue that could put ethereum-based tokens held at exchanges at risk of theft.

AccessTimeIconApr 11, 2017 at 11:00 a.m. UTC
Updated Sep 11, 2021 at 1:13 p.m. UTC
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.
Consensus 2023 Logo
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.

A bug discovered last month could have potentially emptied exchange accounts holding digital tokens used to power the ethereum-based distributed application Golem.

However, due to the nature of the bug, it could also have been used on other ethereum tokens listed at the exchange. That's because it used the platform's ERC-20 standard, a feature that has won advocates in the exchange sector due to its ability to reduce the time it takes exchanges to add new coins.

However, a Golem supporter and a GNT holder found the bug on 18th March and reported it to the developer team before it could be used maliciously.

The problem that came to light stems from how exchanges prepare the data for transactions and how Solidity (the ethereum smart contracting language) encodes and decodes the transaction data, according to Golem Factory software engineer Pawel Bylica, who published a report on the issue.

According to his assessment, the service that prepared the data for token transfers assumes a 20-byte long address input, but didn't actually check to ensure that the input was the correct length.

As a result, a shorter address length caused the transaction amount to be shifted to the left, thereby increasing its value.

The Golem user reported a "strange" transaction that gained so much value that it could have emptied the entire exchange GNT account, according to Bylica's post. In fact, he only reason this didn't happen, he said, is that the number was so large that it was impossible for the exchange to complete it.

The bug has now been fixed and Bylica’s team has notified other exchanges of the potential vulnerability.

'Shocked and terrified'

Yet, fears were still stoked by the bug, given it could have been broadly applicable to other exchanges using ERC-20 tokens.

Although Bylica's team has not verified the existence of this vulnerability on other exchanges, he mentioned the potential downsides were serious.

"We were shocked and a little bit terrified to realize the potential consequences of someone taking advantage of that bug for multiple tokens on multiple exchanges," Bylica wrote.

Fortunately, some proposed fixes are relatively simple to implement.

"Simply checking the length of an address provided by a user secures [exchanges] from the described attack," wrote Bylica.

Reddit reactions

The reaction on Reddit ranged from mild outrage to debates on exchanges’ responsibility to provide enhanced security.

"This is basic stuff," wrote user BullBearBabyWhale. "I’m once again amazed how serious business in this space (which is all about security) is not taking it seriously."

For those storing any ethereum-based tokens, including ERC-20 tokens, on an exchange, Reddit user 1up8192 recommended reaching out to the service providers to see if they had checked for the vulnerability.

"Ask your exchange if they know about the possibility of injection and if they resolved the problem," they wrote.

Computer code image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.