Sometime, have you ever considered what the worst-case scenario might be if users could input (stake, deposit, swap ...) zero-value amount? Nothing! Users receive nothing in return, rendering such transactions pointless. However, this assumption can be misleading. In some cases, allowing zero-value inputs can introduce critical security vulnerabilities instead of some regular reverted transactions. Let's dig into a real-world example. On January 16 2024, an attacker exploited a vulnerability on SocketDotTech Aggregator system. The vulnerability allowed the attacker to steal funds from users who had given approval of tokens to the SocketDotTech Gateway contract. The estimated total value of the exploited funds is approximately USD 3.3 million.

Overview

Attacker : https://etherscan.io/address/0x50DF5a2217588772471B84aDBbe4194A2Ed39066 Attack Contract : https://etherscan.io/address/0xf2D5951bB0A4d14BdcC37b66f919f9A1009C05d1 Vulnerable Contract : https://etherscan.io/address/0xCC5fDA5e3cA925bd0bb428C8b2669496eE43067e

Exploit Analysis

The vulnerability that was exploited in WrappedTokenSwapperImpl due to an unsafe arbitrary call in the performAction function. Attacker can control fromToken and swapExtraData to perform arbitrary call to fromToken contract and trigger transferFrom function to steal tokens from users who had given approval of tokens to the Socket Gateway contract.

Still, there is a check after that which make sure that the balance of the Socket Gateway contract after performing arbitrary call must match with the expected swap amount. This seem okay at first because it forces the contract to do a swap from WETH to ETH by exactly the input amount (by doing swap, it is unable to trigger another arbitrary call to steal token), but it did not consider the case where the caller transfers in 0 WETH. This is where the attacker utilize the zero-value input, he can bypass the balance check with the input amount set to 0, eliminating the need for a swap and allowing them to trigger the arbitrary call.

Conclusion

As a developer, when building your own project, does not trust any user input. Any parameter given must be carefully validated by the code. Unlike the traditional finance where transfering zero is not usually permit. Ethereum core and ERC20 smart contracts allow transferring zero token so developers must be aware of this and carefully validate the input. Arbitrary calls are another aspect that must be carefully considered. Allowing arbitrary calls means letting others control your contract's logic, and you can be certain they will not always play by your rules.

Furthermore, conducting a security audit is strongly recommended for all projects, even though they are smart contracts, backends, wallets, or dapps.

As a blockchain user, remember: approving tokens grants strangers access to spend them as they please. Avoid infinite approvals, always allocate the exact amount needed for each transaction, even if it incurs additional fees. You will never know that a DeFi app you used many years ago can get hacked, putting your tokens at risk. Proactively review and revoke unnecessary approvals to safeguard your money now.