Over $1 billion worth of tokens on the Ethereum blockchain are missing a software standard released in 2017, setting them up to be hijacked and drained from trading exchanges, according to new research.
The software vulnerability, called a fake deposit exploit, was pinpointed in 7,772 issuers of ERC-20 tokens, according to research from Peking University, Beijing University of Posts and Telecommunications, Zhejiang University and the University of Queensland.
The research states that by manipulating code in the smart contracts, or programming scripts, of ERC-20 tokens listed on cryptocurrency exchanges with deficient transaction verification methods, a hacker can fraudulently siphon exorbitant amounts of funds at nearly no cost. The fake deposit attack could then crash the exchange, causing holders of the ERC-20 tokens and other cryptocurrencies to lose their funds.
Some holders could also have trouble accessing utilities purchased with the ERC-20 tokens, which are increasingly tied to goods and necessities such as energy, real estate and insurance.
“If the fake deposit attack is carried out, it is for sure a great disaster for the token,” said one of the researchers, Haoyu Wang, Beijing University of Posts and Telecommunications associate professor of computer science. “Worst case, the token has to be reissued.”
Because smart contracts are permanent on the Ethereum blockchain and cannot be reversed, the onus falls on cryptocurrency exchanges to fix ERC-20 token procedures already prone to the fake deposit attack. Fabian Vogelsteller, the Ethereum developer who created ERC-20 coins, said cryptocurrency exchanges can blacklist malicious token contracts.
Zhejiang University cyber-science associate professor Lei Wu, a second member of the research team, also suggested releasing so-called proxy smart contracts to keep open the option of replacing old Ethereum smart contracts. However, some Ethereum developers have avoided writing proxy smart contracts because they carry their own security risks.
For ERC-20 tokens in the works, the Ethereum Foundation recommends Ethereum blockchain developers implement the protective smart contract software standard as a failsafe against inattentive cryptocurrency exchanges, Wang and Wu said.
How it works: Transaction duping
An ERC-20 smart contract without the Ethereum blockchain software standard EIP-20, introduced in 2017, relies on what is known in computer science as a conditional programming statement to check for insufficient token balances. The conditional statement outputs a “return false” statement that blocks a token transaction from being terminated. This “return false” statement becomes the basis for the fake deposit attack on cryptocurrency exchanges that do not perform security checks after the programming functions “transfer” and “transferFrom” are called.
The attack first works by issuing an ERC-20 smart contract to a cryptocurrency exchange and transferring one ERC-20 token to an exchange account. On a decentralized exchange, the programming function “depositToken” can then tell the “transferFrom” function to deposit however many tokens into the attacker’s account. On a centralized exchange, the “transfer” function is instead called, with the smart contract’s “_to” and “_value” fields set to the attacker’s account address and desired token amount.
Which ERC-20 tokens are at risk?
The vulnerable tokens with the most trading volumes on decentralized exchanges, CloudBric, MovieCredits, BullandBear, LOVE and EtherDOGE, have had little, if any activity, according to the research. These ERC-20 tokens are circulating on three decentralized exchanges, IDEX, DDEX and Ether Delta, which patched the vulnerability this month, according to the study’s researchers.
In contrast, 7,716 of the ERC-20 tokens vulnerable to the fake deposit attack – 99.2% of those identified – are listed on centralized exchanges such as Binance, Coinbase, OkEx and Kraken. Affected tokens on centralized exchanges, where the bulk of the standard-missing ERC-20 tokens are trading, were valued at more than $1.1 billion in April.
Baer Chain’s BRC token, the Brave privacy web browser’s Basic Attention Token (BAT), the Huobi Chinese cryptocurrency exchange’s HPT token, the Rocket Pool Ethereum app service’s RPL token and the Power Ledger electrical grid blockchain’s PWR token had the highest recorded market capitalizations of the vulnerable tokens held on centralized exchanges. Approximately $391,000 in 87,000 BRC, $388,000 in 305,000 BAT, $63,000 in 1,000 HRT, $39,000 in 3,000 RPL and $28,000 in 50,000 PWR were affected, the research said.
When asked, the computer scientists declined to identify the affected Ethereum coins besides those with the top five volumes on decentralized exchanges and the top 5 market capitalizations on centralized exchanges. The researchers also did not determine which centralized exchanges have not undertaken recommended Ethereum token security procedures.
“For the vulnerabilities and attacks we identified, some of them have been confirmed,” Wang said. Neither the researchers nor PeckShield, a blockchain security company that collaborated with the research team, are choosing to publicly identify vulnerable tokens other than the 10 that are known, Wang said.
Yan Zhu, Brave Software chief information security officer, said the vulnerability is not linked to the Brave browser wallet, and that the affected Basic Attention Tokens were deployed without proxy smart contracts before Ethereum blockchain standard EIP-20 was modified in 2017 to integrate the software implementation that prevents the fake deposit attack.
Power Ledger, on the other hand, deployed its affected ERC-20 tokens even after the Ethereum Foundation released the updated EIP-20 software implementation. For now, John Bulich, Power Ledger technical director, advises Power Ledger customers to “hold their own crypto assets in their own secure wallets” and “not trust centralized exchanges with anything more than their current trading stock.”
The five known issuers of the tokens affected on centralized exchanges did not respond to queries as to whether they have checked with cryptocurrency exchanges about the vulnerability.
Huobi, Baer Chain and Rocket Pool did not respond to requests for comment.