Ethereum Token "Fake Deposit" Vulnerability: Over 3,619 Tokens at Risk

Vulnerability Disclosure

A critical "fake deposit" vulnerability affecting Ethereum-based tokens has been disclosed, with at least 3,619 token contracts identified as high-risk. The flaw, first detected by SlowMist Security Team, poses significant threats to centralized exchanges, wallets, and token ecosystems.

Key Risks

• Targets: Exchanges, wallets, and token contracts using non-standard transfer() functions.
• Impact: Greater than the 2018 USDT "fake deposit" incident, with confirmed attacks already occurring.
• Root Cause: Tokens using if/else checks instead of require/revert for balance validation allow false transaction success statuses (0x1).

Timeline of Discovery

| Date | Event |
|---------------|------------------------------------------------------------------------------------------|
| June 28, 2018 | USDT "fake deposit" attack disclosed. |
| July 7, 2018 | Ethereum token vulnerability confirmed. |
| July 9, 2018 | SlowMist issued initial warnings. |
| July 11, 2018 | Technical details publicly released. |

Technical Breakdown

Flaw Mechanism

1. Faulty Validation: Tokens with if (balances[msg.sender] < _value) return false; do not throw exceptions, enabling fake successful transactions.
2. Exploit: Attackers deposit tokens to exchanges; platforms relying solely on status=0x1 may credit balances without actual fund transfers.

👉 Secure your tokens now

Secure Code Practices

// Vulnerable  
function transfer(address _to, uint _value) returns (bool) {  
    if (balances[msg.sender] < _value) return false;  // Unsafe!  
}  

// Safe (EIP-20 Compliant)  
function transfer(address _to, uint _value) returns (bool) {  
    require(balances[msg.sender] >= _value);  // Reverts on failure  
}  

Mitigation Strategies

For Exchanges/Wallets

• Secondary Checks: Verify balance changes via on-chain data (not just status).
• Event Log Scrutiny: Cross-check Transfer events (note: logs can be spoofed).

For Token Projects

• Reissue Tokens: Replace vulnerable contracts and map old/new tokens.
• Audit Requirements: Enforce third-party security audits pre-deployment.

FAQ

Q1: Why disclose this as an "attack" not just a "vulnerability"?
A: Active exploits were observed—delaying disclosure would have increased losses.

Q2: Should all 3,619 tokens be reissued?
A: Yes. Unpatched contracts risk exchange/wallet losses, destabilizing markets.

Q3: Which major tokens are affected?
A: SlowMist avoids naming specific projects to prevent panic.

👉 Learn about secure token standards

Q4: Are other blockchains vulnerable?
A: "Fake deposit" flaws exist beyond Ethereum—details withheld pending further research.

Conclusion

The Ethereum token ecosystem faces a "ticking time bomb." Proactive reissues and rigorous platform audits are essential to prevent systemic losses. SlowMist’s findings underscore the need for industry-wide security upgrades.

Stay vigilant—verify every deposit.