Potential Attack on Ethereum Network to mint GasTokens

Table of Contents

Read Time: 3 minutes

Ethereum Network Vulnerability

The latest vulnerability, in ethereum framework uncovered by levelk, Potentially allows bad actors to mint large amounts of Gastokens or drain funds.

Discovered by whom?

In levelk’s hypothetical study or in a case study it is possible to mint large amount of GasTokens while receiving ETH or any ERC20, or other standard token.

The vulnerability that comes in light when fallback function of a receiver contract is able to carry out capricious computations that the transaction producer pays for, which comes with a risk of ‘griefing’.

What is a griefer?

A griefer or bad faith player is a player in a multiplayer video game who deliberately irritates and harasses other players within the game, using aspects of the game in intended or unintended ways. according to Wikipedia.

What is GAS?

Gas is a fundamental resource on ethereum blockchain, every transaction on ethereum network require some amount of gas to execute a transaction it may be 1 gwei or in two or three digits.

What is GasToken?

The gas token is kind of smart contract based on ethereum Blockchain, that allow users of ethereum blockchain to tokenize the gas when gas price are low and spend them when gas price are high.

It also becomes the first smart contract through which a user or an owner able to sale purchase gas on ethereum network.

How Gas token works?

The gas tokens works on taking advantage of storage refund concept in ethereum, to inspire smart contracts to delete storage variable, ethereum network provides refund when storage variable is deleted upto half of the contract transaction.

● If a variable is changed from zero to a non-zero value, there is a gas fee
● If a variable is changed from a non-zero value to zero, there is a gas refund

To profit from gasToken:

● Mint tokens when gasPrice is low: change a variable from a zero value to non-zero.
● Burn tokens when gasPrice is high: change a variable from non-zero to zero.

Example :

Writing permanent blockchain state costs a significant amount of gas. For instance, the STORE instruction currently costs 20000 gas when writing a non-zero value to storage. Erasing the storage costs an additional 5000 gas, but also provides a refund of 15000 gas.

Suppose we write to storage when gas has a price of gas low and redeem the token for a refund when gas prices are high, at gas high. Our total expenses per storage word are:’

20000⋅gaslow + 5000⋅gashigh</pre

We receive a refund per word of :

We could expect savings whenever :

gashigh > 2⋅gaslow

There are actually two versions of GasToken: one that uses storage to bank gas(used above GST1), and another one that banks gas by creating contracts. The latter takes advantage of the gas refund obtained when deleting a whole contract(GST2).


Comparison between two versions of GasToken


How the attacker gets the benefit?

A GasToken holder or owner can decrease the cost of a transaction when gasPrice is high by burning the GasToken minted when GasPrice was low or by attacking exchange or by calling function withdraw of any exchange that initiate transfer of funds of any ERC token that call fallback function of a smart contract of a attacker and it will be able to mine GasTokens or execute a transaction that may drain transaction originators funds.

Suggestion to avoid these type of attacks

Most of the exchanges are already aware of these types of minting attack but still fail to cover all the attacks, reason behind these is lack of developers knowledge, awareness of these attacks and existing tools could not be able to verify all the potential bugs and vulnerability in smart contract mostly related to delegate calls. This attack is even more harmful for, Exchanges that doesn’t implemented a proper KYC process as attackers can repeatedly mint GasTokens using different address.

Implementation of gas limit to all transaction should be applied,

required_gas_limit * gas_price

At QuillHash, we understand the Potential of Blockchain and have a good team of developers who can develop any blockchain applications like Smart Contracts, dApps,Smart Coins, DeFi, DEX on the any Blockchain Platform like EthereumEOS and Hyperledger.

To be up to date with our work, Join Our Community :-

Telegram | Twitter | Facebook | LinkedIn


Related Articles

View All



Description: This type of security vulnerability can occur when untrusted data is used in a smart contract without proper validation or sanitization, allowing an attacker to execute unauthorized functions or modify the state of the contract.


QuillAudits 🤝 Lovely Launchpad

We are pleased to extend our #partnership with Lovely Launchpad and await great possibilities to secure the #Web3 ecosystem & beyond.

More About Lovely Launchpad:

#web3community #collaboration

As Web3 developers, it's critical to prioritize smart contract security to protect users' funds and maintain the integrity of the blockchain.

Threat modelling and Risk assessment are two key processes that can help identify potential risks and…


@safemoon has been exploited due to a public burn issue with around ~$8.9 M loss.

With the exploited public burn bug, the upgrade was initiated by the official SafeMoon: Deployer.

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+