Chainlink exploits lead to ETH losses—again

An attacker has once again managed to exploit Ethereum‘s economy by spamming nine Chainlink nodes to drive up the cost of “gas” tokens that power the network. Though not a direct theft, the attack a few days ago still managed to drain node operator’s hot wallets of 700 ETH (~US$244,420) before it was halted.

It’s another sign that much of this technology remains experimental in nature, and that introducing layers of complexity in an almost-anonymous economy can lead to losses. Ethereum is a popular target for such attacks given the relatively high value of the ETH currency and the various ways in which its contracts operate.

Although a similar exploit could hypothetically take place on a Bitcoin contract system, the economics would never make sense since transaction fees are extremely low starting at around 1/100th of a penny. Also, Bitcoin SV’s more regulated nature would discourage attackers from using its network in such a way. Bitcoin itself has never been hacked and there have been moves to ascertain legal ownership rights, enforced by processing nodes.

There are also more rules and guidelines for creating tokens on Bitcoin SV (BSV) that would limit the ability of anyone to create tokens without identifying users—something that could have prevented this exploit.

How did it happen?

The attacker used at least three aspects of Chainlink and Ethereum’s network operations and economic incentives to pull off the exploit.

Chainlink works as a system of nodes that connect smart contracts to inputs and outputs in the real world they require to function. By doing this it forms a “decentralized oracle network,” in theory protecting a contract from the dangers of depending on a single oracle, which may be compromised.

The attack targeted certain nodes—in this instance, nine that supplied price data for various other tokens. Otherwise it was a classic spam attack, where the attacker reportedly sent a large number of price requests that left the node operators suddenly paying huge prices for Ethereum’s gas fees. “Gas” is the price Ethereum users pay for computing operations, and the more there are, the higher the price.

Node operators keep hot wallets to cover any gas fees (to ensure their services work). In this case those wallets were soon drained of their reserve funds, with one operator reportedly losing 20 ETH.

How did the attacker benefit from this? According to news sources, they created something called Chi Gastokens—developed by another third-party called 1inch. Chi tokens trade independently on exchanges, so their price fluctuates independently of ETH or any other similar token.

Chi is a “gas” token that, ironically, provides a hedge against gas price volatility. Users can “mint” new tokens at current prices, and (similar to the fuel futures airlines use to hedge against price volatility in that industry) and trade them later, depending on whether the price is higher or lower than when the token contract was created.

The attacker minted new Chi tokens at the higher price, then sold them for regular ETH. So in fact, although the Chainlink node operators paid a few hundred thousand dollars too much to use the network that day, that money didn’t go to the attacker directly.

According to Chainlink, the attack lasted around two hours, but added that its network’s built-in protections against such attacks identified the problem and stopped it before any more funds were lost. 

Feeling drained

How many times have we read the line “ETH drained from wallets” over the years? It almost feels like a running joke. Ethereum is a complex system that allows computing processes to be done on-chain. As a new and still-much-unexplored concept, it has seen various exploits over the years where attackers have discovered loopholes in the code that allow them to divert others’ funds to places where the attacker can benefit.

Too many times, we’ve also seen similar headlines in other parts of the digital asset industry as well. It’s the reason this technology has struggled to gain mainstream acceptance—potential users (with good reason) worry they could lose substantial savings performing simple tasks.

It’s technically possible for any code to be exploited in new and novel ways, even when the base protocol is rock solid. This is why the oft-repeated phrase “code is law” doesn’t work in the real world—sooner or later, someone finds a way to exploit it. In this case, it was a “hack” based on a spam attack and market incentives that caused losses rather than an outright theft. But it’s a demonstration of why human law matters as much as code when building a digital asset economy. The more legal systems in place to prevent or discourage code exploits, the less frequently they will occur.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.