An announcement came out November 21st, 2018 regarding an identified vulnerability in the Ethereum network. The concern is that some platforms are not setting reasonable gas limits or charging a high enough withdrawal fee to cover customer transactions and potentially using withdrawals to perform costly operations on the platform. The net result is a risk that the platform in question could lose substantial liquidity if the vulnerability is correct.
Coinsquare is not affected by the alleged vulnerability because we account for the fact that customers will be withdrawing to smart contracts. Withdrawing to smart contracts requires arbitrary code to be executed, requiring additional gas, and thus additional fees. This is the purpose of the Ethereum blockchain, and thus, Coinsquare’s withdrawal system for Ethereum handles this correctly.
A full explanation of how the vulnerability works is below. If you have any questions, don’t hesitate to reach out to our Support Team.
To understand the alleged vulnerability, it helps to understand how fees work in Ethereum and Bitcoin.
In Bitcoin, each transaction contains a script that is executed by nodes when Bitcoin is spent. Because the sender or receiver of the Bitcoin is defining that script, the size of the overall transaction, in bytes, is known at the time of sending a transaction. Furthermore, Bitcoin fees are calculated based on a price per byte, multiplied by the size of the transaction. The entire fee is taken by the miner who confirms the transaction.
In Ethereum, things are slightly more complicated. Every operation has a unique cost, defined in a unit called gas. For example, addition might be 20 gas, multiplication might be 60 gas, storing a variable might be 200 gas, or reading from memory might be 100 gas. Similar to Bitcoin price per byte, Ethereum has a gas price, which is the price in ETH of each unit of gas. For example, if a transaction will result in operations totalling 1,000 gas units, and the sender specifies a gas price of 0.0002 ETH/gas, then the overall transaction will have a fee of 0.2 ETH.
However. since each transaction can result in the execution of smart contract code that already resides on the blockchain, it is usually the case that the sender cannot know ahead of time exactly how much gas their transaction will consume. Therefore, apart from specifying the gas price (how much they are willing to pay in ETH per gas unit) the sender also specifies the maximum amount of gas they are willing to allow their transaction to consume, called a gas limit. If the all the operations triggered by the transaction result in less gas consumption than the gas limit, the transaction is a success; if not, it fails, but the miner of the block still keeps the fee.
Coinsquare attaches 90,000 gas for every single withdrawal, and charges the user an amount, in Ether, that will cover the entire fee, assuming all 90,000 gas are consumed. Because of this, even if a user uses all of the gas attached to the withdrawal to perform other operations on the blockchain, the gas consumption is already accounted for. If a trading platform or exchange did not take into consideration the gas limit they were specifying for their withdrawals and/or do not charge the customer a sufficient amount to cover the cost of a transaction assuming all the gas is used, this vulnerability could possibly affect them. That is, however, not the case with Coinsquare.
Coinsquare embraces smart contract platforms like Ethereum. We expect a significant portion of our withdrawals to consume more gas than a standard transfer may incur, and we take that into account accordingly, to protect customers sending transactions.