Security experts from Level K, Trail of Bits, and IC3 disclosed a vulnerability in GasToken that enables an attack to potentially force an exchange to pay large gas fees for initiating Ethereum transactions. Additionally, attackers can use this exploit to mint GasToken.
GasToken allows users to tokenize gas on the Ethereum network, storing gas when it is cheap and using gas when it is expensive. Every transaction on the Ethereum network must include gas fees (ether) to pay miners for executing the transaction. Because many exchanges allow for the withdrawal of ether with no gas usage limits, an attacker can exploit the vulnerability for a GasToken supporting exchange — forcing the exchange to overpay gas for transactions, potentially draining their ether wallets.
Prior to publicly disclosing this vulnerability, Level K, Trail of Bits, and IC3 reached out to vulnerable exchanges, recommending they set gas limits for all Ethereum-based transactions. All affected exchanges that have received the disclosure appears to have patched the vulnerability. (Source: Failure to set gasLimit appropriately enables abuse)