The Red Alert about the ETH New False Top-up Vulnerability for Exchanges

Today SlowMist released the red alert the second time: SlowMist found a new attack method of an ETH new False Top-up Vulnerability.

Yesterday (2020/05/22), SlowMist released the new method of False Top-up Vulnerability, by depositing the ETH to exchanges within revert operation. SlowMist continued to conduct in-depth research and discovered the attack method that used Out of gas.

SlowMist recommends:
If you are not able to fix the vulnerability successfully, you can temporarily suspend the deposit of ETH from the contract address.

Then perform the following fixing operations:

(2020/05/22) SlowMist first disclosed the revert-type False Top-Up attack method:

1. When handling the ETH deposit processes that use a contract, it is necessary to determine whether there is a revert transaction in the inline transaction. If there is a revert transaction, reject it.

Today (2020/05/23), SlowMist released the Out of Gas method:

2. When handling the ETH deposit processes that use a contract, it is necessary to determine whether there is an Out of Gas transaction in the inline transaction. If there is an Out of Gas transaction, reject it.

3. When handling the ETH deposit processes that use a contract, it is necessary to determine whether there is an error field in the inline transaction. If there is an error field, reject it.

4. Manually process the accounting entry of contract, and only credit into the account after confirming that the deposit address has received the ETH.

In addition to the revert and the Out of Gas methods, when using the contract to deposit ETH, it does not exclude the possibility that there may be new methods in the future. SlowMist will continue to pay attention to the situation and research.

At the same time, it should be noted that Ethereum-like blockchain currencies may also withstand similar risks. Please be aware.

--

--

--

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The InterPlanetary File System (IPFS)

How to Fix Roblox 2 Step Verification Not Sending

How to Fix Roblox 2 Step Verification Not Sending

THM — Creating IOCs

Welcome to #Gamejet NFT Platform Airdrop Is Live 👋

Obyte Achieves Full Decentralization by Adding University of Nicosia as an Independent Order…

CISO Challenges: Insider Threats

Securing REST APIs with Token-based Auth

The future of CyberPeach

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

More from Medium

A New Era of State-Backed DeFi Blackhats Is Upon Us

Ronin Exploit, Largest Crypto Hack to Date

Lunaray Token Security Scan Report

Sorbet Finance Vulnerability Post Mortem