Newly spotted Ethereum vulnerabilities put $1 billion at stake

Researchers have discovered multiple vulnerabilities in Ethereum cryptocurrency this month that when exploited by attackers can have devastating consequences.

These flaws can let attackers tamper with “smart contracts,” a mechanism that powers cryptocurrency transactions, much like real-world contracts.

The flaws include:

1. Integer underflow to get the maximum possible value of an Ethereum token. For example, an attacker with zero balance can exploit an integer underflow flaw to get the maximum value of an ETH token: approximately 4.3 billion.
   
2. Integer overflow to reduce a maximum balance to zero value.
   
3. Unprotected withdrawal enabling any actor to withdraw Ether funds they shouldn’t have access to due to flaws in smart-contract.
   
4. Unprotected self-destruct lets an attacker nullify a contract before a transaction completes and redirect the balance associated with a transaction to any arbitrary address.

6 months of analysis revealed almost a $1bn at stake

Researchers from the CyberNews.com Investigations team who disclosed these vulnerabilities stated they analyzed Ethereum blocks spanning a six-month period.

“We scanned 6 months’ worth of blocks from Ethereum’s blockchain and found that 3,779 contracts have 13 different types of vulnerabilities, including 4 high-severity vulnerabilities,” state the researchers in a report.

The researchers have estimated the value of vulnerable smart contracts at almost $1 billion.

” The total value of these vulnerable smart contracts is 2,088 ETH, which equals $964,172.”

How can users protect themselves?

For users relying on online Etherum ledgers and services, smart contracts can be reviewed using blockchain explorers like Etherscan.

Doing so can provide insights into whether smart contracts have been audited and verified.

“If the smart contract has not been audited or verified, we’d recommend avoiding that particular platform or online service,” state the researchers.

The news follows a 2016 incident surrounding a weakness in Ethereum smart contracts which had led to $50 million in losses.

Despite their claims of providing anonymity and freedom from centralized government-regulated currencies, cryptocurrency systems are not without their flaws and can be seized just as easily by the governments.

About the author

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

See author's posts