Remember, how Oleksii Matiiasevych has helped to prevent a crisis in a great crypto marketplace? He personally saved $1.5 million of Parity that could have been stolen by black hat hackers. Recently, he proved his white hat again by identifying a vulnerability that 8 Top-rated Cryptocurrency Exchanges had.
A few weeks ago, there appeared an inconspicuous information that a number of well-known crypto-exchanges contained a batchOverflow Bug in Multiple ERC20 Smart Contracts.
In fact, the vulnerability was identified more than a month ago by the Hacken’s advisor, Oleksii Matiiasevych. While performing testing of different cryptocurrency exchanges, Oleksiy identified this security breach and confirmed that it can be exploited to withdraw arbitrary amounts of ETH and/or other cryptocurrencies from vulnerable exchanges. The white hat hacker assumed that the problem is in deposits processing code.
The carried out tests showed that at least 8 well-known centralized exchanges have this bug. However, Matiiasevich noted that decentralized exchanges that don’t have a hot wallet/pool are not affected. Together with Ambisafe, Giveth platform, and the community of white hackers Matiiasevich compiled a detailed report called “ETH/ETC Deposits Processing General Security Breach Report” with recommendation on how to eliminate the vulnerability.
In the report, it is noted that this attack will be successful for ETH and ETC, but also can be relevant for a number of forks, especially for coins such as UBIQ, EXP, POA, TOMO, and ELLA.
"We reported this to all the exchange platforms where this vulnerability was discovered. After that, we sent our report to almost 200 exchanges, which could also be potentially vulnerable, thus, it seemed that we did everything we could.”
However, the next day, Matiiasevich realized that hackers might actually have another way to take advantage of that vulnerability.
In the report, the developers recommend to stop accepting deposits in ETH and ETC and carefully study the processing code by converting the flat list of traces of internal transactions into a nested list. Afterwards, a number of actions were necessary to take in order to eliminate the problem. In addition, there were also given a few recommendations on how to get rid of the second method of exploiting the vulnerability.
The vast majority of exchanges made public comments concerning the bug. They announced to suspend ERC20 token trading until the circumstances are clarified.
"Today, the word ‘hacker’ has gained a new, positive connotation. The white hat hackers, such as Oleksiy Matiiasevich, report bugs with the aim to make the crypto world safer. We all should thank developers for contacting vulnerable crypto exchanges and assisting them in resolving the issue. Coinbase showed a great example that exchange should take care of their clients by reacting immediately to the identified vulnerabilities. Cybersecurity matters.",
The number of problems caused by flaws in crypto exchanges increase daily and that can harm the prosperity of the blockchain and crypto industries. At the end of May Hacken will launch the MVP of its very special and unique product CER. The Crypto Exchange Ranks will provide all-inclusive objective analysis of crypto exchanges taking into account this and similar cases. Starting from June, every crypto enthusiast, professional trader, crypto exchanges, or independent governmental agencies will enjoy the benefits of safe trading.