The Red Alert about the ETH New False Top-up Vulnerability for Exchanges

Today SlowMist released the red alert the second time: SlowMist found a new attack method of an ETH new False Top-up Vulnerability.

Yesterday (2020/05/22), SlowMist released the new method of False Top-up Vulnerability, by depositing the ETH to exchanges within revert operation. SlowMist continued to conduct in-depth research and discovered the attack method that used Out of gas.

SlowMist recommends:
If you are not able to fix the vulnerability successfully, you can temporarily suspend the deposit of ETH from the contract address.

Then perform the following fixing operations:

(2020/05/22) SlowMist first disclosed the revert-type False Top-Up attack method:

1. When handling the ETH deposit processes that use a contract, it is necessary to determine whether there is a revert transaction in the inline transaction. If there is a revert transaction, reject it.

Today (2020/05/23), SlowMist released the Out of Gas method:

2. When handling the ETH deposit processes that use a contract, it is necessary to determine whether there is an Out of Gas transaction in the inline transaction. If there is an Out of Gas transaction, reject it.

3. When handling the ETH deposit processes that use a contract, it is necessary to determine whether there is an error field in the inline transaction. If there is an error field, reject it.

4. Manually process the accounting entry of contract, and only credit into the account after confirming that the deposit address has received the ETH.

In addition to the revert and the Out of Gas methods, when using the contract to deposit ETH, it does not exclude the possibility that there may be new methods in the future. SlowMist will continue to pay attention to the situation and research.

At the same time, it should be noted that Ethereum-like blockchain currencies may also withstand similar risks. Please be aware.