A company-developer dubbed Level K found the vulnerability and made it public knowledge in its blogpost, saying that it had also notified as many crypto exchanges as possible, warning them of the danger. Level K also reports that the exchanges have installed software patches to protect themselves.
What risks the bug bears for the network
The weakness is activated when ETH is transferred to a wallet that can afterwards conduct arbitrary computations for which the operation initiator pays and which bears the risk of ‘griefing’ — this is what a bad actor does to harm users of the ecosystem. The theory goes that the person behind an attack can make the initiator of the transaction, a crypto exchange in this case, pay for an arbitrary computation, unless the exchange has gas limits activated.
Potentially, a dirty player can mint a great amount of Gas when he or she receives Ether, making this griefing attack and giving them a huge profit.
All ETH tokens are vulnerable
The worst part of this is that it is not only ETH that can be used for the illegal minting of Gas. The bug can also spread its effect on all other ETH-based tokens, such as ERC721 or ERC20-based ones. If exchanges do not implement a gas limit for transactions when it comes to contract calls for transfers, they are at a risk of having to pay for a great volume of computation.
Per Level K, slightly over a week ago private messages were sent to the trading platforms that could potentially suffer from this weak point in the Ethereum protocol to notify them of the possible danger. They have all now installed patches to eliminate the bug.