Friday, August 28, 2020



   A number of university researchers published a study that revealed a "fake deposit vulnerability" in Ethereum-based smart contracts. The findings show that the more than 7,000 tokens worth over $ 1 billion built on Ethereum are vulnerable to two types of attacks exploiting smart contracts.

Researchers from the University of Queensland, Beijing University of Post and Telecommunications, Zhejiang University and Peking University have published a paper describing the vulnerabilities held by more than 7,000 Ethereum-based tokens.

In essence, the tokens created have a verification method under the ERC20 contracts released after 2017. The vulnerability allows the token codebase to be manipulated and hackers can easily steal millions of dollars by executing a "fake deposit vulnerability".

What's worse is that there are more than 25 million smart contracts built using the Ethereum network and the researchers say only "0.36% of them have released their source code according to our data set."

In addition, this paper discusses that tokens are vulnerable on decentralized exchanges (dex) and centralized exchanges (cex) as they allow these coins to be exchanged "without comprehensive verification."

The research team made use of a tool called "Deposafe", which allows testing of a large number of ETH-based smart contracts.

“In this work, we have systematically flagged the vulnerability of fake deposits in Ethereum. Deposafe, an automated tool is proposed to perform vulnerability detection and verification, "the paper wrote.

“We demonstrated Deposafe efficiency by experimenting on a large number of smart contracts. Our observations reveal the prevalence of fraudulent deposit vulnerability in ERC20 smart contracts, ”wrote the university scholar.

Investigators found that 7,735 tokens could be affected by a fraudulent deposit vulnerability using "Type-I attacks". Meanwhile "7,716 tokens were vulnerable to" Type-II attacks "with a market capitalization of over $ 1 billion.

"The number of holders and transactions will be 695 thousand and 4.6 million, respectively," the paper emphasized.

The paper also identifies dexes that have high active trades on a daily basis and are subject to bogus deposit attacks. The Dex platforms listed in the research paper include Ether Delta, DDEX, and IDEX.

Centralized exchanges (cex) that fall victim to a bogus deposit attack can lose large amounts of funds.

"If cex allows these tokens to be traded without comprehensive verification, the financial losses will be enormous," the paper highlights.

The report's authors say that their efforts can "contribute to bringing developer awareness" and hopefully "promote best operational practices across the blockchain."

The listed cex platforms mentioned in the research study included companies such as Kraken, Binance, and Coinbase. ERC20s that are suspected of being vulnerable to fraudulent deposit exploitation include BRC tokens, PWR tokens, BAT, HPT tokens, Cloudbric, RPL tokens, Moviecredits, and many more.

   What do you think about fake deposit attacks? Let us know what you think of the subject in the comments section below.

No comments:

Post a Comment