Over $1 billion worth of tokens on the Ethereum blockchain are missing a software standard released in 2017, setting them up to be hijacked and drained from trading exchanges, according to new research.
The software vulnerability, called a fake deposit exploit, was pinpointed in 7,772 issuers of ERC-20 tokens, according to research from Peking University, Beijing University of Posts and Telecommunications, Zhejiang University and the University of Queensland.Â
The research states that by manipulating code in the smart contracts, or programming scripts, of ERC-20 tokens listed on cryptocurrency exchanges with deficient transaction verification methods, a hacker can fraudulently siphon exorbitant amounts of funds at nearly no cost. The fake deposit attack could then crash the exchange, causing holders of the ERC-20 tokens and other cryptocurrencies to lose their funds.
Read more: How Do Ethereum Smart Contracts Work?
Some holders could also have trouble accessing utilities purchased with the ERC-20 tokens, which are increasingly tied to goods and necessities such as energy, real estate and insurance.
âIf the fake deposit attack is carried out, it is for sure a great disaster for the token,â one of the researchers, said Haoyu Wang, Beijing University of Posts and Telecommunications associate professor of computer science. âWorst case, the token has to be reissued.â
Because smart contracts are permanent on the Ethereum blockchain and cannot be reversed, the onus falls on cryptocurrency exchanges to fix ERC-20 token procedures already prone to the fake deposit attack. Fabian Vogelsteller, the Ethereum developer who created ERC-20 coins, said cryptocurrency exchanges can blacklist malicious token contracts.
Read more: Token Sales Are Back in 2020
Zhejiang University cyber-science Associate Professor Lei Wu, a second member of the research team, also suggested releasing so-called proxy smart contracts to keep open the option of replacing old Ethereum smart contracts. However, some Ethereum developers have avoided writing proxy smart contracts because they carry their own security risks.
For ERC-20 tokens in the works, the Ethereum Foundation recommends Ethereum blockchain developers implement the protective smart contract software standard as a failsafe against inattentive cryptocurrency exchanges, Wang and Wu said.
How it works: Transaction duping
An ERC-20 smart contract without the Ethereum blockchain software standard EIP-20, introduced in 2017, relies on what is known in computer science as a conditional programming statement to check for insufficient token balances. The conditional statement outputs a âreturn falseâ statement that blocks a token transaction from being terminated. This âreturn falseâ statement becomes the basis for the fake deposit attack on cryptocurrency exchanges that do not perform security checks after the programming functions âtransferâ and âtransferFromâ are called.
The attack first works by issuing an ERC-20 smart contract to a cryptocurrency exchange and transferring one ERC-20 token to an exchange account. On a decentralized exchange, the programming function âdepositTokenâ can then tell the âtransferFromâ function to deposit however many tokens into the attackerâs account. On a centralized exchange, the âtransferâ function is instead called, with the smart contractâs â_toâ and â_valueâ fields set to the attackerâs account address and desired token amount.Â
Which ERC-20 tokens are at risk?
The vulnerable tokens with the most trading volumes on decentralized exchanges, CloudBric, MovieCredits, BullandBear, LOVE and EtherDOGE, have had little, if any activity, according to the research. These ERC-20 tokens are circulating on three decentralized exchanges, IDEX, DDEX and Ether Delta, which patched the vulnerability this month, according to the studyâs researchers.
In contrast, 7,716 of the ERC-20 tokens vulnerable to the fake deposit attack â 99.2% of those identified â are listed on centralized exchanges such as Binance, Coinbase, OkEx and Kraken. Affected tokens on centralized exchanges, where the bulk of the standard-missing ERC-20 tokens are trading, were valued at more than $1.1 billion in April.Â
Baer Chainâs BRC token, the Brave privacy web browserâs Basic Attention Token (BAT), the Huobi Chinese cryptocurrency exchangeâs HPT token, the Rocket Pool Ethereum app serviceâs RPL token and the Power Ledger electrical grid blockchainâs PWR token had the highest recorded market capitalizations of the vulnerable tokens held on centralized exchanges. Approximately $391,000 in 87,000 BRC, $388,000 in 305,000 BAT, $63,000 in 1,000 HRT, $39,000 in 3,000 RPL and $28,000 in 50,000 PWR were affected, the research said.
When asked, the computer scientists declined to identify the affected Ethereum coins besides those with the top five volumes on decentralized exchanges and the top 5 market capitalizations on centralized exchanges. The researchers also did not determine which centralized exchanges have not undertaken recommended Ethereum token security procedures.Â
âFor the vulnerabilities and attacks we identified, some of them have been confirmed,â Wang said. Neither the researchers nor PeckShield, a blockchain security company that collaborated with the research team, are choosing to publicly identify vulnerable tokens other than the 10 that are known, Wang said.
Yan Zhu, Brave Software chief information security officer, said the vulnerability is not linked to the Brave browser wallet, and that the affected Basic Attention Tokens were deployed without proxy smart contracts before Ethereum blockchain standard EIP-20 was modified in 2017 to integrate the software implementation that prevents the fake deposit attack.
Power Ledger, on the other hand, deployed its affected ERC-20 tokens even after the Ethereum Foundation released the updated EIP-20 software implementation. For now, John Bulich, Power Ledger technical director, advises Power Ledger customers to âhold their own crypto assets in their own secure walletsâ and ânot trust centralized exchanges with anything more than their current trading stock.â
The five known issuers of the tokens affected on centralized exchanges did not respond to queries as to whether they have checked with cryptocurrency exchanges about the vulnerability.
Huobi, Baer Chain and Rocket Pool did not respond to requests for comment.
- First Mover: Wacky Bitcoin-to-DeFi Crypto Markets Might Be New Home of Capitalism
- Bitcoin Has Lost Its Way: Hereâs How to Return to Cryptoâs Subversive Roots
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.