ERC-20 tokens on the Ethereum network worth more than $1 billion are vulnerable to a hacker attack via fake deposits, according to a joint study by four institutes from China and Australia.
2006.06419 by ForkLog on Scribd
The vulnerability enables attackers to fraudulently withdraw substantial sums from exchanges with virtually no cost. A fake-deposit attack could disrupt exchange operations. For token issuers, the risk is even higher: in the worst case they may have to reissue the tokens.
Because smart contracts are immutable, there are only two remedies: centralized exchanges can add malicious contracts to a blacklist, or developers can deploy backup contracts to replace vulnerable ones, though this comes with its own risks.
In total, 7,772 ERC-20 tokens are susceptible to the vulnerability. Of these, 99.2% are traded on centralized exchanges, including Binance, Coinbase, Kraken and OKEx. These tokens do not support the EIP-20 standard, whose release occurred in 2017.
Among vulnerable tokens listed on centralized exchanges, researchers named Basic Attention Token (BAT), Huobi Pool Token (HPT), Baer Chain (BTC), Power Ledger (PWR) and Rocket Pool (RPL). Of those traded on DEXs, they disclosed CloudBric, MovieCredits, BullandBear, LOVE and EtherDOGE, although activity for the latter is close to zero.
The authors of the report declined to name all tokens. Their aggregate value, as of April 2020, amounted to $1.1 billion.
Last week, the developers of the Samourai Wallet reported the discovery of a vulnerability in Wasabi Wallet, threatening users’ anonymity.
Subscribe to ForkLog news on Facebook!