Ethereum Token "Fake Deposit" Vulnerability Exposed: At Least 3,619 Tokens at Risk

Overview

Recent reports from SlowMist Zone reveal a widespread "fake deposit" vulnerability affecting Ethereum tokens. The impacted entities include centralized exchanges, wallet services, and token contracts.

According to incomplete statistics, 3,619 token contracts are susceptible to this vulnerability, including prominent tokens. SlowMist's security team warns that this incident may have broader implications than the USDT "fake deposit" attack in 2018. Since active exploitation is already occurring, projects are urged to conduct immediate audits.

Recommended Solution

For high-risk tokens, the optimal remediation is reissuing new tokens with proper old-to-new token mapping. SlowMist emphasizes:

"Without reissuance, these tokens act like 'time bombs.' You cannot expect all exchanges and wallet platforms to implement flawless security checks. If overlooked, the 'fake deposit' flaw could cause significant losses—ultimately harming the broader market."

Vulnerability Disclosure Timeline

• 2018/06/28: SlowMist discloses USDT "fake deposit" attack.
• 2018/07/07: Ethereum token vulnerability confirmed.
• 2018/07/09: SlowMist issues initial alert.
• 2018/07/11: Technical details publicly released.

Technical Breakdown

Root Cause

The vulnerability stems from improper balance checks in token contracts’ transfer functions. Some contracts use if/else logic without reverting transactions when balances are insufficient:

if (balances[msg.sender] < _value) {
    return false;  // No exception thrown
}

In contrast, secure implementations use require/assert to force exceptions:

require(balances[msg.sender] >= _value, "Insufficient balance");

Exploitation Scenario

Attackers exploit vulnerable contracts to submit fake deposits. If platforms only check transaction status (status: 0x1) without verifying actual balance changes, funds appear deposited when they aren’t.

👉 Explore real-world attack examples

Mitigation Strategies

1. Platforms (Exchanges/Wallets):

   • Verify balance changes beyond transaction status.
   • Use Event logs cautiously—ensure Transfer events match actual values (malicious contracts may forge logs).

2. Token Contract Developers:

   • Adopt EIP-20 standards with require/revert for balance checks.
   • Engage third-party auditors for rigorous security reviews.

3. Users:

   • Monitor official announcements from token projects regarding reissuance or updates.

FAQs

Q1: How can exchanges detect fake deposits?

A: Implement dual verification:

• Confirm TxReceipt Status == success.
• Cross-check wallet balance increments via on-chain data (not just Event logs).

Q2: Are decentralized exchanges (DEXs) affected?

A: Primarily impacts centralized services. DEXs relying on smart contract balance checks are less vulnerable.

Q3: Should I move my tokens to a new contract?

A: Follow project advisories. If reissuance occurs, migrate to the audited contract promptly.

Conclusion

The Ethereum token "fake deposit" flaw underscores critical gaps in smart contract security. Proactive measures—from rigorous coding practices to platform-level safeguards—are essential to mitigate risks.

👉 Stay updated on crypto security best practices

Sources: SlowMist Zone, Babbitt News