How to find Solidity vulnerabilities
Level K, a decentralized application company, has reported a vulnerability in Ethereum-based smart contracts that potentially allows fraudsters to even profit from attacks..
The problem arises in the process of sending ETH to an address, which is then capable of performing arbitrary calculations, paid for by the initiator of the transaction. Using this vulnerability, an attacker can harm network users and exchanges whose working smart contracts do not set limits or protect against such fraud. Potentially, an attacker can not only drain the owner’s wallet, but also make money on it.
The essence of the attack is that a hacker who wants to harm the operator initiates a withdrawal to the address of the smart contract he controls. If the operator has not taken care of setting gas restrictions, then he will pay a commission for all transactions from his own wallet. When making a certain number of transfers, an attacker can completely empty the owner’s account. If the operator does not have a KYC system, an attacker can bypass the restrictions on withdrawing funds from one account. A hacker can even get profit by producing GasToken and making money from it.
According to the developers, not only operations with ETH, but also with all ERC-721 and ERC-20 tokens are at risk. The company informed all exchanges of the potential threat back on November 13, and publicly released the information on the 21st so that operators managed to make changes.
Ethereum has been going through hard times lately. Study showed that due to the fall in the exchange rate of the coin since November, ETH on the GPU has ceased to be profitable.
text: Ivan Malichenko, photo: blockchain3