What s the fake deposit attack affecting some exchanges with erc20?

Question

There are a lot of articles about hacked tokens affecting centralized exchanges only when Googling fake erc20 deposit but I failed to find a reference describing how the attack works technically.

The only technical description I found is not usefull because of the language https://mp.weixin.qq.com/s/3cMbE6p_4qCdVLa4FNA5-A

The paper is a bit overblown "DEPOSafe, an automated tool is proposed to perform the detection and verification of the vulnerability. We demonstrate the efficiency of DEPOSafe with experiments on a large number of smart contracts. Our observations reveal the prevalence of fake deposit vulnerability in the ERC-20 smart contracts." - tokens like BAT predate ERC-20 standard and they just behave differently (return vs throw). I would not call this vulnerability, but a different implementation. Also it can be verified in 1 minute by reading the token source on Etherescan. — Mikko Ohtamaa, Nov 19 '20 at 10:29
There was some discussion if ERC-20 should settle with return or throw on error cases, you can still find this discussion on Github. — Mikko Ohtamaa, Nov 19 '20 at 10:32
@MikkoOhtamaa it still details the incorrect behavior of exchanges (which look for sucessfull transaction instead of paying attention to the logged event which what ERC20 is really about). — user2284570, Nov 19 '20 at 11:06
Are there any such exchange that do this incorrectly? ERC-20 logs behaviour is very well known. I would be surprised if any exchange implements it incorrectly, as they would be very very amateur. The paper is feels a bit of scaremongering of security researchers trying to make name for themselves on a non-existing issue, instead of having a real attack vector. — Mikko Ohtamaa, Nov 19 '20 at 11:57
@MikkoOhtamaa according to the news, plenty. Including Poloniex. It goes as far as usdt on Omni hacked that way. — user2284570, Nov 19 '20 at 14:13

What s the fake deposit attack affecting some exchanges with erc20?

0 Answers0