 Okay, this is the Gas Scythe and Attack. It's called the technical and economic realities behind hacking and exchanges. It's a little bit of an intro to gas token and then a story about a bunch of exchange exploits we found last year and then how that all came about and what you can do to protect yourself against it. We're gonna start with a live demo. So if you guys wanna take out your phone and scan this, this is a cryptocurrency or an Ethereum address that's a contract. If you send any money to it, you will, I don't know if you'll get it back, so it doesn't sound very much, but it does bring you gas token. So the whole point of this talk is about gas token. So if you send a transaction, what you'll do is make yourself $5 in gas token, so you will lose $5. You do this, but you will get it in gas token. So try that out if you want. And wall, wall, this is up on the screen. I'm gonna basically take a second to describe what gas token is, what the hack was, and then we'll go through how it all played out. So it looks like everyone's all done. So what this was, what the gas site and the hack was, was an exploit. Basically anyone who subsidized costs of Ethereum transactions were vulnerable to this in that someone could use the subsidized payments to print out gas token. And what gas token is this mechanism? Let me take a step back. In Ethereum there's a mechanism in which you can be rewarded for refunding, for removing state from the network. And so when you remove state from the network, what Ethereum does is it pays you back in gas refunds. And what this hack is is taking advantage of those refunds that are built into the Ethereum ecosystem. And so in order to execute this kind of attack, it's very simple, you deploy a contract, we'll go over in a minute or in the same kind of contract you guys just transact with. You initiate a withdrawal from an exchange for someone who pays for your transactions. You send the withdrawal to this contract and the contract does its magic. And then at the end of the transaction you get minted gas token and the money comes straight from the exchange, independent of your actual holding on the exchange. And then a little background about myself. So myself and Chris are co-founders of the Gas Siphon attack. So we kind of found this and helped bring it to the attention of the public. I'm also co-founder of Law Ethereum, which is a wallet provider and dad login solution as well as ZeroTrust, which is an auditing firm and we audit a bunch of smart contracts. This is a little definition of gas token, but like I said, it's basically a token that represents a refund on the Ethereum network. The refund is in gas and the idea being if you spend 100,000 gas on a transaction, you can use this refund to actually only pay 50,000 and there's reasons it exists that we'll get into in a minute. And then one big question I always get is says is gas token good? So is it good to offer someone an incentive to clear the stake on the network? And it sounds like a good idea. The reason it exists in Ethereum is because developers should create state on the network and then clear the state later on so that the change is not as big. So the incentive is there, but the problem is people are starting to use it for bad. They're hoarding gas tokens that they're floating the state so that in the future, when the network is very bloated and gas is very expensive, they can get these refunds at a much more efficient price. And so the idea of gas token is a very good idea. The implementation as we've seen it isn't so good so we'll see how it plays out in the end. And how people are using gas tokens today. A lot has to do with arbitrage. So the idea being if I want to make a transaction on Uniswap and make some arbitrage through exchanges and I might have a dollar profit to be made, someone else with gas token might be able to make that same transaction. And what they can do is use gas token and like I said, it reduces the fees. I'm sorry, the gas costs. And so what that $1 now turns into $1.10 for someone. And when that happens, they've now effectively gotten an advantage in arbitrage that no one else who doesn't have gas token does. So it's pretty dangerous in that sense. That's usually pretty well coupled with front running. So a lot of people do front running and gas token arbitrage in the same vein in it. If it works for them, no one really knows how it really affects the network. Finally, exchanges can use gas token as kind of a hedge or gas futures. So you can imagine if exchanges print a bunch of gas token now or in the future when one gas is very expensive, they might be able to even that out by basically having bought gas futures now so that when the networks clog, they can still provide their customers with a very constant gas price. I'm gonna run through the code real quick via the gas token. It's quite simple. You don't really need to understand code to understand this. But here's the whole contract you just interacted with. And there's only four functions. So here's a set min rate, set min rate. And all this does is set a rate of tokens you want to min. So this would say, you do set one min five tokens per transaction. So that when you withdrew from an exchange, you'd min five tokens and you can change this. And the higher the rate the higher your gas limit of the transaction would be. The actual min function, again, this is just a token. It's an ERC 20 token. And so you just call token dot mint and then the number of tokens that you pass in. So that's also very simple. This is the fallback function. So the reason this works with exchanges is when you don't provide data to a transaction, the contract automatically calls the fallback function. In this case, it is mint. So now it calls the mint function given the min rate you previously provided. You don't need to do anything. The exchange now is basically paying for you. And finally, you can withdraw the token. So the tokens will live on the contract and then you withdraw them. And so this is just transferring the tokens out as well as either there's some in there. So it's very simple to execute this. It's dangerously simple, some would say. So good. Here is an example transaction. And then you probably can't see this but it's an Ether scan contract and this is a withdrawal from an exchange. And it's a withdrawal of 0.01 Ether so nothing too crazy. But if you look here, there's a transaction fee of $34.2 Ether effectively and the gas limit is six and a half million. And so this is from a big exchange and it basically went straight to the contract and the exchange paid six and a half million gas at 30 gigabyte gas price for free. And what people can do with this is now take advantage of it and print gas tokens. So this is the first transaction we did when finding the exploit. And so you can look it up if you want but it's pretty dangerous. And so who was affected by this? The exchange is like we've just been talking about. Metatransaction relayers who subsidize gas costs. This can kind of be scoped out to just anyone who subsidizes gas costs. If someone's paying for your gas and for your transactions there's a really, really good chance that you can print gas token on their dime. So if any of you are doing this, just watch out for this. You can set limits to the transactions but we'll go over that in a minute. In any really EVM based chain that again subsidizes the transactions and has this kind of mechanism built into it. How can they fix it? Don't pay for users gas. I know it's a really nice UX to be able to pay for your users gas but if you are paying for gas they are gonna try to take advantage of the free money. And this is one of the best ways for them to do it. Now getting into a lot of pictures and a lot more interactive stuff. So here's a bunch of pictures of mobile wallets. So this is, you can't see here but trust wallet point-based metamask. And why these exist is because I'm showing you that they try to abstract gas away from users and when they do this they make the user vulnerable. So you can see here they have this concept of network fee, network fee transaction fee and users can almost guarantee most of you don't look at that too closely and but what these are saying is hey I'm sending 0.001E but the fee here you see is $3.85. And if you're just looking and you think this is a normal transaction you're not gonna see $3.85. It could also be $30 or up to $300 maybe. And you're gonna basically pay that and then you're gonna have no idea because you're gonna see 0.01E. And I don't know if there's a good answer. These wallets are all trying to abstract the gas away from the user and that's a really good idea but at the same time it's also dangerous. This is also urgent and the reason it's by itself is because they kind of do it the worst in that they say it's free, it's paid by origin. So they don't even give the user the idea that there is a fee associated with transaction and it's dangerous. It's nice but it's dangerous and so it's just something to look out for. And then going into what we actually did last year so the hack happened or the exploit happened last year at DevCon around this time. And we were basically realizing that every exchange was for all the world to an extent. So some exchanges you could have taken 50 million, sorry, $50 per transaction from some $2 but if you were at a script you can basically take a million transactions. And so when we found this, we went to one of the more prominent members of the ether community and when you realized what this was he basically said, and you can smile and he said, oh, well code is law and he walked away. Meaning you guys should take all the money and run but it's a lot of the exchanges are interesting jurisdictions and we just really wanted to do that. So we decided to work with different people to kind of get this resolved. We got in touch with all the exchanges and what you'll see here and we figured, hey, we'll be the good guys and maybe we'll collect some bug bounties for this. We'll put in a lot of work but we'll get paid a little bit. And so here's an example of one of the exchanges bounty pages. You don't need to read about what is good to see. It says, if you find an extraordinarily severe issue you can pay up to $100,000. And so we did the math. Could have taken 10 million from them. That's pretty severe. They would have stopped their exchange and they can just give us $100,000 instead. And so we worked with them and we got in touch with all of them and we had telegram chats and more chats and more chats and more chats and it actually went on for a month. And so all these exchanges we talked like this for about a month and it was two to three, maybe even four engineers almost full time job for a month. And so this is one exchange in particular and we got through this whole thing and basically saved them and they offered $800 worth of their token. And so that was a little frustrating. So we responded with a very large email or large telegram message you can read later but what it's saying is incentives are really hard in this space and you guys are one of the biggest exchanges and this is what you're offering. And if you can't do it right no one else is gonna do it right. I didn't say it but it kind of sounds like next time we find something we're just gonna take the money and give you what we want but it's hard to explicitly say something like this. They ended up responding and they gave us much more money, a couple thousand dollars not anywhere near $100,000 but it was something and that's honestly all you can really do with this kind of stuff, unfortunately. This is another example of an exchange and this one's quite funny. Again, you don't read it all but I'll highlight some things in the next slide but what we ended up doing was sending an email to a ton of different exchanges. It was very hard to get a hold of them so we basically sent an email to maybe 50 or 100 different people with the same message, hey, there's a vulnerability we can't get in touch with you but if you get in touch with us we'll help you out. So we got this email from this exchange and this was the CEO and Chris sent the email and he said, hey, here's who I am, here's what we found. We think you're vulnerable and he responded with good for you. We are not fraudulent, there's nothing wrong with our security and I am several companies that's talking anymore. And that was in response to, hey, it wasn't everything, we know your exchange is vulnerable so that was not a good response. Nine minutes later, we got this email from the same company but this was from an engineer saying, oh wow, we really appreciate this. We'll give you a shout if there's any questions. So the same company, two different people, two different responses. I think we ended up sending forwarding this email to the CEO and we never heard from them again. So we got them. So that's kind of the history of the attack, gas token, but there's a lot of interesting metrics and stuff going on with gas and gas markets and gas tokens now and here's gonna be a bunch of screenshots that kind of describe that in a pretty interesting way. I'm sure you guys have all seen this but when Fair One was going on, the gas prices were pretty high. They're lower now, but I assume they'll be higher at some point. When these prices are high, people can really start taking advantage of gas tokens and so if people printed gas tokens when they were cheap, when gas was maybe one gig away, they can now print it, they can now start using this at a much higher price. This is the block gas limit. Again, this was made about two weeks ago when we were rising the block gas limit to about eight and a half. I think we've got up to 10 million and I think since then it's back down to eight but this is basically showing that gas usage is really increasing on the network and good or bad. Maybe it's a Ponzi scheme. Maybe we have a lot of actual usage but my intuition is that Ethereum's gonna grow and the usage is also gonna grow. This is actually pretty interesting. After the, a lot of this stuff stemmed from Phil Dian's talk at the last DevCon, but once that happened and once this exploit happened, what a lot of miners started doing was mining blocks and only filling in with gas token printing and so you can see here all, most of these transactions are all zero transaction fee meaning the miner included his own transaction and he paid zero for it and so he didn't have to pay a single dime for any gas and he got minted eight million gas worth of gas token which is, if someone like you or me were to do it, we'd have to pay the normal gas price and so what we're seeing now is a lot of miners are actually basically filling blocks with zero gas limit, I'm sorry, gas price and what's happening with that is it's a win-win for the miner because they get gas tokens but what happens is they also start clogging up the network because they're not propagating normal transactions and so that's one of the reasons why this could be a dangerous thing if you have all the miners who are just including their own transactions for the gas token, they're not sending actual transactions through and this is a graph of the transactions of the gas token. I didn't put the line in here but right around this time was that problem last year and you can see that people started getting interesting, interested in it. Phil Diane had a great speech about gas tokens and front running, our exploit article came out about a month later so I think a lot of people started recognizing it and then a little later on it just kind of became a thing and it looks like it's growing and it's gonna become more and more ubiquitous. It was also used, gas tokens were also used a little bit during the crypto-giddy space for arbitrage like I explained earlier, I'm not gonna get into that but there's a lot of articles on it that are super interesting. It's also happening on ETH Classic. Miners were also basically paying nothing and getting gas tokens. ETH Classic's a little more interesting or a little interesting in a different way in that it's really cheap. For $5 you can basically print tons and tons of gas tokens. Now the proportionate price of ETH Classic versus ETH means that these aren't worth much or anything and it doesn't totally matter that you don't need to pay much but this is kind of showing that pay it is happening on ETH Classic too. The elected ETHerScan page is in the ETH Classic Explorer that shows the same thing with no gas payments and just gas fencing. And what's interesting is you can imagine this is an ERC-20 token and so people can trade it. So this is an example of an exchange on ETH Classic and it doesn't look like it's too highly used but it is an exchange and people are trading gas tokens. The price is, it's an interesting market because you have an exchange. You can also mint the gas token out and so you can natively like price the token. You can also trade it in basically two different markets going on. Mainnet on ETHer Ethereum doesn't necessarily have a marketplace at this time though I did see right before this talk that there is a Uniswap gas token marketplace. So it's coming, I don't know when it's gonna happen. There's a good chance it might be removed. There's a whole concept of storage rent that may actually nullify all of this but it's all in the future and we'll see if it actually happens. Finally, there's a package that you can just install and start running. It's called the gas token miner from the Statter Network and you click one button on your computer and it just starts minting gas token for you. You have to fund it obviously but it's about as easy to mint gas token at this point as just clicking a button on your computer. So I think it's gonna become more and more prevalent as time goes on. This is more of a reference slide but here's a few addresses that are currently arbitraging the network on different DeFi exchanges. Some of them are using gas token and if you wanna see how people are using it, try to kinda look into these addresses and the transactions and how they process it because it's pretty complicated. A lot of transactions going on. I'm sorry, a lot of blood calls are being made in one transaction. It's really, really fascinating but it'll give you an insight to how this is actually being used. Finally, how to protect yourself. Pay attention to your gas limits like I showed with the mobile interfaces. If the app is abstracting away gas from you, it's almost dangerous. It's almost more dangerous than knowing what you're getting into so maybe it's more of a social thing about learning about this instead of abstracting away. Transact with only trusted parties. This is hard. This is like saying, only give money to your friends and not an merchant. Obviously it's not realistic but if you do know that hey, I'm interacting with Uniswap and I know them to be good, there's a really good chance you're not gonna get psyched. When you're subsidizing costs, set a gas limit. If you do set a gas limit, attackers can really not take much from you. If you have civil protection like an email and username, it's really negligible and so that is the best way to do it but that's not always possible in crypto. The last two are a little more interesting. Look at all contracts, interactions and learn to code. It's not for everyone but if you are playing in this space, there's a good chance that you're interacting with potentially malicious code and if you really don't know how to protect yourself it's hard and learn to code doesn't mean like sit there and become a developer but at least understand the basics of what's going on. A very simple understanding could save you from a lot of this stuff and maybe not even coding but understanding the ecosystem around coding and then where to look to see hey, there might be an exploit that's not on a news site or something and so basically being more familiar with everything is the point of those last two. Finally, you can look at these later but there's references here and a lot of these slides came from this in our own experiences back about a year ago. Thank you. Because I don't know how they'd respond if they saw a talk with me. There should be at least an informal way to know what's going on. You can look at these, there's hand transaction, it'll show you. For the exchanges to protect themselves is something more complicated than just setting the gas limit required? There's a few things, they all hold so for example with Ethereum specifically you can check if the interaction is going on with the contract and the exchange should probably assume hey, I'm only interacting with a non-contract and they can actually check that and a non-contract can't do this stuff but a contract can. So an exchange can check hey, am I interacting with the contract? There are ways around it. For example, if you deploy a contract and make the withdrawal in the same transaction it doesn't look like a contract at that point but it's pretty far out there. The gas limit is the best but then that also gets into questions like what a user is trying to withdraw into a contract safely and it's a really hard question and I don't really know the answer. They could just charge you for your fees. They could charge you and some exchanges actually charge you withdrawal fee that is greater than the amount of tokens that they could mint for you and that is a really good answer. But again, it's not the perfect answer. How good are the nodes of estimating the stuff? Because nodes, if you're running a node you can go and estimate the gas usage of a function call. How good are they at estimating whether or not the contract underneath the gas token contract is going to go and create X amount of data on-chain? I want to say it's super easy. I just don't think people are doing it. Okay, okay, yeah, yeah, yeah. So yeah, that is a good answer. We got one more. So I know there's two different variants of gas token. Can you explain a little bit about when you would reach for either variant? Yeah, so the deeper answer to that is go to gastoken.io. I think the quick answer is there's two ways to get a refund on Ethereum. One is to reduce states. So setting a variable from one to zero collects this refund. Another way to do it is to self-destruct a contract. I think that's the more efficient way and so if you basically create what gas token two does it creates a thousand contracts for you and when you go to use it you just destroy the contracts and that's the type of refund. So but gastoken.io, they have a very, very in-depth analysis of all of that and I think that's all my time. Thank you.