![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2019\/12\/24152018\/gemini-front-running-featured.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Alexey Malanov| Date: Tue, 24 Dec 2019 20:30:19 +0000<\/strong><\/p>\n The Winklevoss twins<\/a> are best known as the alleged founding fathers of Facebook \u2014 and even received $65 million<\/a> in compensation from Mark Zuckerberg in 2008. In 2013 they invested heavily in Bitcoin, buying about 1% of all existing coins at $120 apiece.<\/p>\n Soon after, the brothers opened the Gemini<\/a> cryptocurrency exchange, and in 2018 they launched<\/a> the stablecoin Gemini dollar<\/a> (GUSD). A stablecoin is a fixed-rate cryptocurrency \u2014 1 GUSD token always costs 1 US dollar. Stablecoins are handy for “digitizing” real dollars. They make moving blockchain dollars between exchanges quick and easy. The guarantor of the reverse conversion to dollars is the company that issued and sold them to you.<\/p>\n Under the Kaspersky Smart Contract Source Code Review<\/a> service, we analyzed a smart contract<\/a> that provides GUSD functionality, and we detected a flaw.<\/p>\n Note that the given smart contract had already been reviewed<\/a>, although we do not know if any code flaws were described in the report.<\/p>\n In line with our Responsible Disclosure Policy, we contacted Gemini’s security team to report the problem. They informed us the issue was considered during the design phase but presented no risk to GUSD. <\/p>\n<\/div>\n For a simple explanation of how smart contracts work, see our post on smart contracts, Ethereum, and ICOs<\/a>.<\/p>\n Generally speaking, when someone wants to create new tokens based on the Ethereum blockchain, they write a smart contract (a miniprogram) that specifies the following:<\/p>\n The creators of the Gemini dollar system implemented<\/a> the following enhancements as well:<\/p>\n The enhancements are sound and increase overall security and flexibility.<\/p>\n If someone other than the primary custodian enters a proposal in a custodian contract, they must pay a 1 ETH stake (about $200 at the current exchange rate). As noted in the comments<\/a> to the contract itself, this antispam measure aims to dissuade participants from creating too many requests.<\/p>\n The antispam payments ultimately go<\/a> to one person: the one who announces the approval of a particular proposal\/request. This implementation may not look terrifically fair, but the comments clearly indicate that its creators conceived it that way.<\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 } else {<\/strong> For our part, we recommend using the Solidity Withdrawal Pattern<\/a> approach.<\/p>\n The person who determines the approval of the request thus also receives all ETH antispam payments. To do so, he or she calls the smart contract function completeUnlock<\/strong> and passes the signatures of two custodians in the parameters.<\/p>\n The problem is that Ethereum, like any other blockchain, executes requests on a delay. A client transaction (transferring money or calling a function) waits in line for some time (usually 15 seconds or longer). During this time, absolutely anyone can view the planned transfers of other Ethereum users, including amounts, recipients, and parameters. And the peeper can use this information to create their own transaction and push it to the front by paying a higher commission to the miner.<\/p>\n Any advantage gained through peeping is considered front-running, a form of attack (Known Attacks: Front-Running<\/a>).<\/p>\n Front-running is when a broker or other entity enters into a trade because they have foreknowledge of a big nonpublicized transaction that will influence the price of the asset, resulting in a likely financial gain for the broker. It also occurs when a broker or analyst buys or sells shares for their account ahead of their firm’s buy or sell recommendation to clients. <\/p>\n<\/div>\n In our case, a complete outsider can set up a robot to monitor the custodian contract<\/a>. If it sees that someone called the completeUnlock<\/strong> function (that is, a custodian is interacting with Gemini dollar), it immediately copies all of the parameters and calls the function to extract the Ether that has accumulated there.<\/p>\n To counter such an attack, we again recommend using the popular Solidity Withdrawal Pattern<\/a> approach.<\/p>\n On top of that, we recommend blocking unknowns<\/a> from calling a function intended for custodians.<\/p>\n Although dangerous in theory, the detected vulnerability is fairly benign in practice. Here’s why:<\/p>\n Gemini comments: “We chose this design because Gemini does not intend to stake ether under normal conditions, and, as a result, we made a risk-based decision not to materially expand the complexity of our codebase solely for the immaterial benefit of a more robust recovery mechanism for a theoretical, and nominal, anti-spam stake. Prioritizing secure, simple code remains the best solution for the Gemini dollar and its users. In the future we may revisit this decision if the risk changes and a more costly and complex contract becomes appropriate.”<\/p>\n We decided to publish this post in coordination with Gemini, given that antispam stakes are at risk only through a combination of specific and unlikely circumstances, and GUSD is not at risk.<\/p>\n Again, we remind everyone of the need for a holistic security approach to ICOs and other activities related to cryptocurrencies and blockchains<\/a>.<\/p>\n\nDisclaimer<\/h2>\n
Gemini dollar smart contracts<\/h2>\n
\n
\n
Antispam payments<\/h2>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (address(this).balance > 0) {<\/strong>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ reward sender with anti-spam payments<\/strong>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ ignore send success (assign to \u02b9success\u02b9 but this will be overwritten)<\/strong>
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 success = msg.sender.send(address(this).balance);<\/strong><\/p>\nFront-running attackers can steal all antispam payments<\/h2>\n
From investopedia.com<\/a>:<\/p>\nPractical implementation of an attack<\/h2>\n
\n