EtherDelta XSS vulnerability

EtherDelta (ED) is a popular decentralised exchange run by Zack Copburn and Tina Trinh.

It uses an Ethereum smart contract to allow users to trade tokens in a trustless manner in exchange for a small percentage fee charged on each transaction.

The site recently published the following tweet:

It was found to have a Cross-site scripting (XSS) vulnerability caused by unsanitized input from token contracts. The bug caused several users to have the funds drained from their wallets.

Cross-site scripting is a technique which allows an attacker to inject malicious code into an otherwise innocuous web page. Since the injected code is executed client side it has access to any information available to the user themselves.

ED is frequently the first port of call for Initial Coin Offering (ICO) participants looking to trade their freshly minted tokens because it’s possible to trade any token provided you know it's address.

Adding a custom token to ED

Custom tokens can be accessed via a link with the following format:
https://etherdelta.com/#0x0000000000000000000000000000000000000000-ETH

To transfer tokens to and from ED, users can submit their private key.

Importing an account into ED

The attack involved adding malicious code to the token contract. Because the contract field was not sanitized by ED, the attacker could execute code on their victim’s client if they clicked on a completely legitimate looking link to https://etherdelta.com.

The code was designed to read the victim’s private key, if it had been imported, and send it to a web site controlled by the attacker who could then collect the keys and empty the wallets at their leisure.

This unfortunate incident underlines the importance of code review and bug bounty programs. So far no bounty has been issued and no compensation has been offered to victims.