EtherDelta XSS vulnerability
EtherDelta (ED) is a popular decentralised exchange run by Zack Copburn and Tina Trinh.
It uses an Ethereum smart contract to allow users to trade tokens in a trustless manner in exchange for a small percentage fee charged on each transaction.
The site recently published the following tweet:
It was found to have a Cross-site scripting (XSS) vulnerability caused by unsanitized input from token contracts. The bug caused several users to have the funds drained from their wallets.
Cross-site scripting is a technique which allows an attacker to inject malicious code into an otherwise innocuous web page. Since the injected code is executed client side it has access to any information available to the user themselves.
ED is frequently the first port of call for Initial Coin Offering (ICO) participants looking to trade their freshly minted tokens because it’s possible to trade any token provided you know it's address.
Adding a custom token to ED
Custom tokens can be accessed via a link with the following format:
https://etherdelta.com/#0x0000000000000000000000000000000000000000-ETH
To transfer tokens to and from ED, users can submit their private key.
Importing an account into ED
The attack involved adding malicious code to the token contract. Because the contract field was not sanitized by ED, the attacker could execute code on their victim’s client if they clicked on a completely legitimate looking link to https://etherdelta.com.
The code was designed to read the victim’s private key, if it had been imported, and send it to a web site controlled by the attacker who could then collect the keys and empty the wallets at their leisure.
This unfortunate incident underlines the importance of code review and bug bounty programs. So far no bounty has been issued and no compensation has been offered to victims.
EtherDelta tweeted @ 25 Sep 2017 - 03:22 UTC
Disclaimer: I am just a bot trying to be helpful.
When will bounty be offered to victims of bitzure.com? Why is nobody bringing awareness to this scam?