A team of university researchers has published a study that explains the ‘fake deposit vulnerability’ in smart contracts based on the Ethereum network. The discoveries show that more than 7,000 tokens worth over $1 billion built on the Ethereum blockchain are vulnerable to two kinds of attacks that take advantage of smart contracts.
Experts from the University of Queensland, Beijing University of Posts and Telecommunications, Zhejiang University, and Peking University have published a paper that demystifies a flaw held by more than 7,000 Ethereum-based tokens.
Both DEX and CEX Platforms are at Risk
Basically, the tokens created have verification methods that are below par to ERC20 contracts launched after 2017. The vulnerability enables the token’s codebase to be controlled, and attackers can easily steal millions of dollars by carrying out the ‘fake deposit vulnerability.’
Something even worse the researchers have found is the fact that there are over 25 million smart contracts developed using the Ethereum network, but only 0.36 percent of them have revealed their source code, as per the information on the team’s dataset.
In addition, the paper talks about the fact that the tokens are weak on both decentralized exchanges (DEX) and centralized exchanges (CEX) because they allow these assets to be traded without a thorough verification.
The team of experts leveraged a tool known as ‘Deposafe,’ which enables the testing of a large amount of Ethereum-based smart contracts.
“In this work, we have systematically characterized the fake deposit vulnerability in Ethereum. Deposafe, an automated tool is proposed to perform the detection and verification of the vulnerability,” the paper states.
“We demonstrate the efficiency of Deposafe with experiments on a large number of smart contracts. Our observations reveal the prevalence of fake deposit vulnerability in the ERC20 smart contracts,” the university’s scholars said.
Platforms Vulnerable to the Fake Deposit Exploit
The team of investigators found that 7,735 tokens can be impacted by the fake deposit vulnerability using a ‘Type-I attack,’ and more 7,716 tokens that are susceptible to ‘Type-II attack’ with a market capitalization of more than $1 billion.
“The number of holders and transactions would be 695K and 4.6 million respectively,” the paper emphasizes.
The research has also identified the DEXes that have high active trading on a daily basis and could be impacted by the fake deposit hack. DEX exchange platforms listed in the released paper include Ether Delta, DDEX, and IDEX.
Centralized exchange platforms that end up falling victim to the fake deposit attack could lose considerable amounts of funds, according to the study.
“If a CEX allows these tokens to be traded without comprehensive verification, the financial loss will be tremendous,” the paper states.
The authors of the new report noted that the efforts and information they have provided could contribute to bringing developer awareness and hopefully encourage the best operational practices across blockchains.
Some of the listed CEX platforms mentioned in the researchers’ paper include firms like Kraken, Binance, and Coinbase. ERC20s who are reportedly vulnerable to the fake deposit attack include BRC token, PWR token, BAT, HPT token, Cloudbric, RPL token, Moviecredits, and more.