Potential Attack on Ethereum Network to mint GasTokens

Potential Attack on Ethereum Network to mint GasTokens

Potential Attack on Ethereum Network to mint GasTokens

Potential Attack on Ethereum Network to mint GasTokens

Potential Attack on Ethereum Network to mint GasTokens

Read Time: 3 minutes

Ethereum Network Vulnerability

The latest vulnerability, in ethereum framework uncovered by levelk, Potentially allows bad actors to mint large amounts of Gastokens or drain funds.

Discovered by whom?

In levelk’s hypothetical study or in a case study it is possible to mint large amount of GasTokens while receiving ETH or any ERC20, or other standard token.

The vulnerability that comes in light when fallback function of a receiver contract is able to carry out capricious computations that the transaction producer pays for, which comes with a risk of ‘griefing’.

What is a griefer?

A griefer or bad faith player is a player in a multiplayer video game who deliberately irritates and harasses other players within the game, using aspects of the game in intended or unintended ways. according to Wikipedia.

What is GAS?

Gas is a fundamental resource on ethereum blockchain, every transaction on ethereum network require some amount of gas to execute a transaction it may be 1 gwei or in two or three digits.

What is GasToken?

The gas token is kind of smart contract based on ethereum Blockchain, that allow users of ethereum blockchain to tokenize the gas when gas price are low and spend them when gas price are high.

It also becomes the first smart contract through which a user or an owner able to sale purchase gas on ethereum network.

How Gas token works?

The gas tokens works on taking advantage of storage refund concept in ethereum, to inspire smart contracts to delete storage variable, ethereum network provides refund when storage variable is deleted upto half of the contract transaction.

● If a variable is changed from zero to a non-zero value, there is a gas fee
● If a variable is changed from a non-zero value to zero, there is a gas refund

To profit from gasToken:

● Mint tokens when gasPrice is low: change a variable from a zero value to non-zero.
● Burn tokens when gasPrice is high: change a variable from non-zero to zero.

Example :

Writing permanent blockchain state costs a significant amount of gas. For instance, the STORE instruction currently costs 20000 gas when writing a non-zero value to storage. Erasing the storage costs an additional 5000 gas, but also provides a refund of 15000 gas.

Suppose we write to storage when gas has a price of gas low and redeem the token for a refund when gas prices are high, at gas high. Our total expenses per storage word are:’

20000⋅gaslow + 5000⋅gashigh</pre

We receive a refund per word of :
15000⋅gashigh

We could expect savings whenever :

gashigh > 2⋅gaslow

There are actually two versions of GasToken: one that uses storage to bank gas(used above GST1), and another one that banks gas by creating contracts. The latter takes advantage of the gas refund obtained when deleting a whole contract(GST2).

 

Comparison between two versions of GasToken

 

How the attacker gets the benefit?

A GasToken holder or owner can decrease the cost of a transaction when gasPrice is high by burning the GasToken minted when GasPrice was low or by attacking exchange or by calling function withdraw of any exchange that initiate transfer of funds of any ERC token that call fallback function of a smart contract of a attacker and it will be able to mine GasTokens or execute a transaction that may drain transaction originators funds.

Suggestion to avoid these type of attacks

Most of the exchanges are already aware of these types of minting attack but still fail to cover all the attacks, reason behind these is lack of developers knowledge, awareness of these attacks and existing tools could not be able to verify all the potential bugs and vulnerability in smart contract mostly related to delegate calls. This attack is even more harmful for, Exchanges that doesn’t implemented a proper KYC process as attackers can repeatedly mint GasTokens using different address.

Implementation of gas limit to all transaction should be applied,

required_gas_limit * gas_price

At QuillHash, we understand the Potential of Blockchain and have a good team of developers who can develop any blockchain applications like Smart Contracts, dApps,Smart Coins, DeFi, DEX on the any Blockchain Platform like Ethereum, EOS and Hyperledger.

To be up to date with our work, Join Our Community :-

Telegram | Twitter | Facebook | LinkedIn

3,205 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+