User pays $23M as transaction fees
In an atypical event, a user transacting using the DeversiFi interface paid astronomical fees; here’s everything that happened.
$23M as transaction fee?
Bitfinex and DeversiFi have been in the news for reasons good and bad. On the one side, they built the first CEX to L2 DEX bridge to reduce fees for its users, but on the other hand, a transaction cost them millions.
Let’s dissect the story!
At 11:10 UTC on the 27th of September, a user connected a ledger hardware wallet to transfer 100K using the DeversiFi interface. The transaction went through, so did 23M in fees.
What exactly happened?
Due to the recent changes to the Ethereum gas fee structure thanks to EIP 1559, an issue occurred in the Ethereum JS library leading to high gas fees.
Metamask does a lot of heavy lifting in a typical transaction and generates the messages and transaction fees. However, for other wallets like Ledger, Deversifi becomes responsible for showing the transaction costs.
In the case of Deversifi, when the gas value generated is in integers, the underlying Ethereum code works perfectly, but things escalate when a decimal value is parsed.
The BN library throws an error, but due to improper error handling, the decimal value is converted to a buffer value to potentially to a magnitude of six times higher. @Tay was warning about this issue in ethereum js for a while -
The initial reaction by crypto Twitter was mixed. Some folks looked at it as a means to money laundering as the miner who processed the transaction was unknown. the others were merely mocking the user.
When a transaction is done using a hardware wallet, the transaction fees are shown in a non-human readable format, making it difficult to gauge the number as a $ value. If it had been a generic transaction, it could have been avoided.
Another aspect was that the wallet had a high amount of funds. If that weren't the case, the transaction would have failed immediately due to low gas fees.
Deversifi recovered the funds
Thanks to blockchain and the immutable Ledger, the miner wallet was linked to a Binance account. The DeversiFi team engaged with Binance to identify the miner.
Also, the miner was kind enough to return almost all the funds 7626ETH, ~50ETH lower than the total transaction fee.
As a safety measure, hardware wallets were disabled for a particular time. The Ledger and the Ethereum JS team were aptly informed and may, in time, find a solution. Deversifi, in the meanwhile, has applied thresholds to avoid future events.
Takeaway
This incident should be an eye-opener for devs and users. Devs for building in threshold and testing the product well and for users to always make sure you double verify before signing/approving transactions.
Endnote
Crypto moves fast!
Subscribe to our daily newsletter #CryptoMatters and be the first to know -