The Future Coin

Bitcoin

$35,697.54

BTC -4.11%

Ethereum

$1,373.49

ETH -0.21%

XRP

$0.30

XRP -1.01%

Litecoin

$152.32

LTC -7.27%

EOS

$2.79

EOS -3.52%

  • News
    • Bitcoin News
    • Ethereum News
    • Ripple News
    • Litecoin News
    • Altcoin News
    • Blockchain News
    • Business News
    • Technology News
    • Policy & Regulations
  • Markets
    • Market News
    • Market Analysis
    • Price Indexes
    • Top Cryptocurrencies
    • Heatmap
  • Opinion
  • Cryptopedia
    • Explained
    • Bitcoin101
    • Ethereum101
    • Bitcoin Cash101
    • ICO101
    • Ripple101
  • Press Releases
No Result
View All Result
The Future Coin
No Result
View All Result
Home Ethereum News

Bancor’s Bug Exposes Dangerously Common Practice in Ethereum DeFi

by The Future Coin
June 23, 2020
in Ethereum News
0
Bancor’s Bug Exposes Dangerously Common Practice in Ethereum DeFi
152
SHARES
1.9k
VIEWS
Share on FacebookShare on Twitter

A vulnerability discovered on Bancor on Thursday would have allowed hackers to simply drain the funds of anyone who interacted with its smart contracts. The exploit relied on the concept of withdrawal authorization, introduced in the ERC-20 standard. This allows various Ethereum-based decentralized applications to automatically withdraw money from users’ wallets.

As Oded Leiba, a research engineer at ZenGo, wrote, the fund withdrawal function on Bancor’s smart contract was mistakenly set so that anyone could call it.

Bancor acted preemptively to “steal” user funds before malicious parties could intervene.

Compounding this issue was the fact that Bancor’s contracts requested an unlimited authorization to withdraw money on the first interaction with the protocol. Even if users only planned to test the protocol with a limited amount of funds, the system could withdraw their entire balance of that particular token.

As it turns out, many other DApps on Ethereum do the same.

Unlimited approval for an unlimited time

As Leiba told Cointelegraph, many well-known decentralized finance apps request infinite approvals. Among those tested by the ZenGo team, Compound, Uniswap, bZX, Aave, Kyber and dYdX all feature infinite or extremely large approvals.

Kain Warwick, the founder of Synthetix, told Cointelegraph that infinite approvals allow for better usability and lower gas usage, with the trade-off of higher risk. So far, most DeFi platforms seem to prefer usability. Nevertheless, in the wake of the accident, Bancor decided to modify its contracts to only approve the necessary amount with each trade.

Cointelegraph also contacted Aave to learn more about their decision to use infinite allowances but did not receive a response.

Warwick believes that “it is a serious issue as each new contract you give an ‘infinite approval’ to exposes you to more tail risk if the contract is compromised.”

Even when the platform is no longer used, approvals remain in force. Leiba noted that over 160 addresses remain vulnerable to the bugged Bancor smart contract — presumably with no funds. Should they return to activity, however, hackers would be able to steal the money at any point in time.

Standards are to blame?

There are fundamental limitations to the ERC-20 token standard commonly used today. For one, approvals cannot have a time limit, which could have helped mitigate some of the longer-term effects of infinite allowances.

Various competing standards such as ERC-223 sought to mitigate the issue by removing the need to grant approvals altogether. In most existing applications, interactions with a smart contract can be manually signed off each time without significantly impacting the user experience.

However, smart contracts cannot respond to unilateral “transfer” calls made by a user. They must instead collect the tokens on their own by using the “transferFrom” function, which requires setting up the allowance via the “approve” method.

Warwick explained that the team initially used the more advanced ERC-223 standard. However, issues with excessive gas usage and errors with contracts that didn’t support the new standard forced the community to abandon it. He added:

“Standards are hard, and when everything is designed for ERC20 unilaterally moving to ERC223 creates a lot of friction.”

How to fix this

Some wallets allow users to modify the specific amount of the allowance during the approval request — though few clearly disclose what the default value is. ZenGo implemented a system where approvals are sent concurrently with each transfer, which can help protect users at the cost of higher gas usage.

Warwick shared his security practices:

“I do give contracts infinite approvals but I am very careful which of my accounts I do it with and to which contracts I give it to because it is less friction, but much higher risk.”

He also suggested that it is “worth doing maintenance” by removing allowances on unused contracts through tools such as Revoke, Approved Zone and TAC.

Source link

EDITOR’S CHOICE

Global Blockchain in Agriculture and Food Supply Chain Market | Size, Trends, Growth

The False Narrative Of Bitcoin’s Role In Illicit Activity

Altcoins Spring Higher As Bitcoin Lingers Below $40K – eToro Crypto Roundup

Blockchain and holiday rentals: transforming the way …

Freeport Public Library open for business

Ethereum 2.0 closes in on $4B value locked as stakers commit over 2% of supply

Best Pick For You

News

  • Altcoin News
  • Bitcoin News
  • Blockchain News
  • Business News
  • Ethereum News
  • Litecoin News
  • Ripple News

Features

  • Market Analysis
  • Opinion
  • Explained
  • Policy & Regulations
  • Top Cryptocurrencies
  • Technology News

Market Tools

  • Market News
  • Price Indexes
  • Bitcoin Price Index
  • Ethereum Price Index
  • Bitcoin Cash Price Index
  • Litecoin Price Index
  • Monero Price Index
  • HeatmapPartner

Cryptopedia

  • Explained
  • Bitcoin101
  • Bitcoin Cash101
  • Ethereum101
  • ICO101
  • Ripple101

© 2020 Coingraph

No Result
View All Result
  • News
    • Bitcoin News
    • Ethereum News
    • Ripple News
    • Litecoin News
    • Altcoin News
    • Blockchain News
    • Business News
    • Technology News
    • Policy & Regulations
  • Markets
    • Market News
    • Market Analysis
    • Price Indexes
    • Top Cryptocurrencies
    • Heatmap
  • Opinion
  • Cryptopedia
    • Explained
    • Bitcoin101
    • Ethereum101
    • Bitcoin Cash101
    • ICO101
    • Ripple101
  • Press Releases

© 2020 Coingraph

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
bitcoin
Bitcoin (BTC) $ 35,225.00
ethereum
Ethereum (ETH) $ 1,351.96
tether
Tether (USDT) $ 0.999476
polkadot
Polkadot (DOT) $ 15.83
ripple
XRP (XRP) $ 0.289271
cardano
Cardano (ADA) $ 0.358634
litecoin
Litecoin (LTC) $ 150.01
bitcoin-cash
Bitcoin Cash (BCH) $ 499.96
chainlink
Chainlink (LINK) $ 20.57
stellar
Stellar (XLM) $ 0.290542
binancecoin
Binance Coin (BNB) $ 41.76
usd-coin
USD Coin (USDC) $ 1.00
wrapped-bitcoin
Wrapped Bitcoin (WBTC) $ 35,270.00
bitcoin-cash-sv
Bitcoin SV (BSV) $ 200.50
monero
Monero (XMR) $ 152.67
eos
EOS (EOS) $ 2.75
aave
Aave (AAVE) $ 189.95
tron
TRON (TRX) $ 0.030631
tezos
Tezos (XTZ) $ 2.86
nem
NEM (XEM) $ 0.238698
cosmos
Cosmos (ATOM) $ 8.94
havven
Synthetix Network Token (SNX) $ 14.99
vechain
VeChain (VET) $ 0.032318
theta-token
Theta Network (THETA) $ 2.00
crypto-com-chain
Crypto.com Coin (CRO) $ 0.084242
uniswap
Uniswap (UNI) $ 8.40
neo
NEO (NEO) $ 25.39
celsius-degree-token
Celsius Network (CEL) $ 4.63
okb
OKB (OKB) $ 6.03
compound-ether
cETH (CETH) $ 27.11
compound-usd-coin
cUSDC (CUSDC) $ 0.021502
dai
Dai (DAI) $ 1.00
leo-token
LEO Token (LEO) $ 1.39
iota
IOTA (MIOTA) $ 0.467118
maker
Maker (MKR) $ 1,393.40
dash
Dash (DASH) $ 122.00
dogecoin
Dogecoin (DOGE) $ 0.008980
binance-usd
Binance USD (BUSD) $ 1.00
huobi-token
Huobi Token (HT) $ 5.68
zcash
Zcash (ZEC) $ 99.85
yearn-finance
yearn.finance (YFI) $ 34,126.00
filecoin
Filecoin (FIL) $ 22.33
solana
Solana (SOL) $ 3.59
avalanche-2
Avalanche (AVAX) $ 11.84
ftx-token
FTX Token (FTT) $ 10.23
ethereum-classic
Ethereum Classic (ETC) $ 7.83
compound-governance-token
Compound (COMP) $ 212.63
kusama
Kusama (KSM) $ 97.32
cdai
cDAI (CDAI) $ 0.021003
zilliqa
Zilliqa (ZIL) $ 0.072801