Exchange Bug Discovery Averts Ethereum Token Theft

code-files-e1491838754417
11 April 2017

A bug discovered last month could have potentially emptied exchange accounts holding digital tokens used to power the ethereum-based distributed application Golem.

However, due to the nature of the bug, it could also have been used on other ethereum tokens listed at the exchange. That’s because it used the platform’s ERC-20 standard, a feature that has won advocates in the exchange sector due to its ability to reduce the time it takes exchanges to add new coins.

However, a Golem supporter and a GNT holder found the bug on 18th March and reported it to the developer team before it could be used maliciously.

The problem that came to light stems from how exchanges prepare the data for transactions and how Solidity (the ethereum smart contracting language) encodes and decodes the transaction data, according to Golem Factory software engineer Pawel Bylica, who published a report on the issue.

According to his assessment, the service that prepared the data for token transfers assumes a 20-byte long address input, but didn’t actually check to ensure that the input was the correct length.

As a result, a shorter address length caused the transaction amount to be shifted to the left, thereby increasing its value.

The Golem user reported a “strange” transaction that gained so much value that it could have emptied the entire exchange GNT account, according to Bylica’s post. In fact, he only reason this didn’t happen, he said, is that the number was so large that it was impossible for the exchange to complete it.

The bug has now been fixed and Bylica’s team has notified other exchanges of the potential vulnerability.

‘Shocked and terrified’

Yet, fears were still stoked by the bug, given it could have been broadly applicable to other exchanges using ERC-20 tokens.

Although Bylica’s team has not verified the existence of this vulnerability on other exchanges, he mentioned the potential downsides were serious.

“We were shocked and a little bit terrified to realize the potential consequences of someone taking advantage of that bug for multiple tokens on multiple exchanges,” Bylica wrote.

Fortunately, some proposed fixes are relatively simple to implement.

“Simply checking the length of an address provided by a user secures [exchanges] from the described attack,” wrote Bylica.

Reddit reactions

The reaction on Reddit ranged from mild outrage to debates on exchanges’ responsibility to provide enhanced security.

“This is basic stuff,” wrote user BullBearBabyWhale. “I’m once again amazed how serious business in this space (which is all about security) is not taking it seriously.”

For those storing any ethereum-based tokens, including ERC-20 tokens, on an exchange, Reddit user 1up8192 recommended reaching out to the service providers to see if they had checked for the vulnerability.

“Ask your exchange if they know about the possibility of injection and if they resolved the problem,” they wrote.

Computer code image via Shutterstock