Zero input might cause unlimited lost
Sometime, have you ever considered what the worst-case scenario might be if users could input (stake, deposit, swap ...)
zero-value amount? Nothing! Users receive nothing in return, rendering such transactions pointless. However, this assumption can be misleading. In some cases, allowing
zero-value inputs can introduce critical security vulnerabilities instead of some regular reverted transactions. Let's dig into a real-world example. On January 16 2024, an attacker exploited a vulnerability on
SocketDotTech Aggregator system. The vulnerability allowed the attacker to steal funds from users who had given approval of tokens to the
SocketDotTech Gateway contract. The estimated total value of the exploited funds is approximately USD 3.3 million.
Attacker : https://etherscan.io/address/0x50DF5a2217588772471B84aDBbe4194A2Ed39066 Attack Contract : https://etherscan.io/address/0xf2D5951bB0A4d14BdcC37b66f919f9A1009C05d1 Vulnerable Contract : https://etherscan.io/address/0xCC5fDA5e3cA925bd0bb428C8b2669496eE43067e
The vulnerability that was exploited in WrappedTokenSwapperImpl due to an unsafe arbitrary call in the
performAction function. Attacker can control
swapExtraData to perform arbitrary call to
fromToken contract and trigger
transferFrom function to steal tokens from users who had given approval of tokens to the Socket Gateway contract.
Still, there is a check after that which make sure that the balance of the Socket Gateway contract after performing arbitrary call must match with the expected swap
amount. This seem okay at first because it forces the contract to do a swap from
ETH by exactly the input
amount (by doing swap, it is unable to trigger another arbitrary call to steal token), but it did not consider the case where the caller transfers in 0 WETH. This is where the attacker utilize the
zero-value input, he can bypass the balance check with the input
amount set to 0, eliminating the need for a swap and allowing them to trigger the arbitrary call.
As a developer, when building your own project, does not trust any user input. Any parameter given must be carefully validated by the code. Unlike the traditional finance where transfering zero is not usually permit. Ethereum core and ERC20 smart contracts allow transferring zero token so developers must be aware of this and carefully validate the input. Arbitrary calls are another aspect that must be carefully considered. Allowing arbitrary calls means letting others control your contract's logic, and you can be certain they will not always play by your rules.
Furthermore, conducting a security audit is strongly recommended for all projects, even though they are smart contracts, backends, wallets, or dapps.
As a blockchain user, remember: approving tokens grants strangers access to spend them as they please. Avoid infinite approvals, always allocate the exact amount needed for each transaction, even if it incurs additional fees. You will never know that a DeFi app you used many years ago can get hacked, putting your tokens at risk. Proactively review and revoke unnecessary approvals to safeguard your money now.
Thanks for reading Verichains! Subscribe for free to receive new posts and support my work.