News

Newly spotted Ethereum vulnerabilities put $1 billion at stake

Researchers have discovered multiple vulnerabilities in Ethereum cryptocurrency this month that when exploited by attackers can have devastating consequences.

These flaws can let attackers tamper with “smart contracts,” a mechanism that powers cryptocurrency transactions, much like real-world contracts.

The flaws include:

  1. Integer underflow to get the maximum possible value of an Ethereum token. For example, an attacker with zero balance can exploit an integer underflow flaw to get the maximum value of an ETH token: approximately 4.3 billion.
  2. Integer overflow to reduce a maximum balance to zero value.
  3. Unprotected withdrawal enabling any actor to withdraw Ether funds they shouldn’t have access to due to flaws in smart-contract.
  4. Unprotected self-destruct lets an attacker nullify a contract before a transaction completes and redirect the balance associated with a transaction to any arbitrary address.

6 months of analysis revealed almost a $1bn at stake

Researchers from the CyberNews.com Investigations team who disclosed these vulnerabilities stated they analyzed Ethereum blocks spanning a six-month period.

“We scanned 6 months’ worth of blocks from Ethereum’s blockchain and found that 3,779 contracts have 13 different types of vulnerabilities, including 4 high-severity vulnerabilities,” state the researchers in a report.

The researchers have estimated the value of vulnerable smart contracts at almost $1 billion.

” The total value of these vulnerable smart contracts is 2,088 ETH, which equals $964,172.”

How can users protect themselves?

For users relying on online Etherum ledgers and services, smart contracts can be reviewed using blockchain explorers like Etherscan.

Doing so can provide insights into whether smart contracts have been audited and verified.

“If the smart contract has not been audited or verified, we’d recommend avoiding that particular platform or online service,” state the researchers.

The news follows a 2016 incident surrounding a weakness in Ethereum smart contracts which had led to $50 million in losses.

Despite their claims of providing anonymity and freedom from centralized government-regulated currencies, cryptocurrency systems are not without their flaws and can be seized just as easily by the governments.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

10 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.