Coindesk Logo

Exchange Bug Discovery Averts Ethereum Token Theft

Exchange Bug Discovery Averts Ethereum Token Theft

Exchange Bug Discovery Averts Ethereum Token Theft

The discovery of a coding error has brought to light an issue that could put ethereum-based tokens held at exchanges at risk of theft.

The discovery of a coding error has brought to light an issue that could put ethereum-based tokens held at exchanges at risk of theft.

The discovery of a coding error has brought to light an issue that could put ethereum-based tokens held at exchanges at risk of theft.

AccessTimeIconApr 11, 2017, 11:00 AM
Updated Aug 18, 2021, 6:00 PM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A bug discovered last month could have potentially emptied exchange accounts holding digital tokens used to power the ethereum-based distributed application Golem.

However, due to the nature of the bug, it could also have been used on other ethereum tokens listed at the exchange. That's because it used the platform's ERC-20 standard, a feature that has won advocates in the exchange sector due to its ability to reduce the time it takes exchanges to add new coins.

However, a Golem supporter and a GNT holder found the bug on 18th March and reported it to the developer team before it could be used maliciously.

The problem that came to light stems from how exchanges prepare the data for transactions and how Solidity (the ethereum smart contracting language) encodes and decodes the transaction data, according to Golem Factory software engineer Pawel Bylica, who published a report on the issue.

According to his assessment, the service that prepared the data for token transfers assumes a 20-byte long address input, but didn't actually check to ensure that the input was the correct length.

As a result, a shorter address length caused the transaction amount to be shifted to the left, thereby increasing its value.

The Golem user reported a "strange" transaction that gained so much value that it could have emptied the entire exchange GNT account, according to Bylica's post. In fact, he only reason this didn't happen, he said, is that the number was so large that it was impossible for the exchange to complete it.

The bug has now been fixed and Bylica’s team has notified other exchanges of the potential vulnerability.

'Shocked and terrified'

Yet, fears were still stoked by the bug, given it could have been broadly applicable to other exchanges using ERC-20 tokens.

Although Bylica's team has not verified the existence of this vulnerability on other exchanges, he mentioned the potential downsides were serious.

"We were shocked and a little bit terrified to realize the potential consequences of someone taking advantage of that bug for multiple tokens on multiple exchanges," Bylica wrote.

Fortunately, some proposed fixes are relatively simple to implement.

"Simply checking the length of an address provided by a user secures [exchanges] from the described attack," wrote Bylica.

Reddit reactions

The reaction on Reddit ranged from mild outrage to debates on exchanges’ responsibility to provide enhanced security.

"This is basic stuff," wrote user BullBearBabyWhale. "I’m once again amazed how serious business in this space (which is all about security) is not taking it seriously."

For those storing any ethereum-based tokens, including ERC-20 tokens, on an exchange, Reddit user 1up8192 recommended reaching out to the service providers to see if they had checked for the vulnerability.

"Ask your exchange if they know about the possibility of injection and if they resolved the problem," they wrote.

Computer code image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.