Claim part 1: Some exchanges which didn’t set an appropriate gasLimit were affected by a vulnerability involving GasToken contract when they send out Ethereum transactions
In the paper titled ‘failure to set gasLimit appropriately enables abuse’, the authors explain exactly how this vulnerability would force exchanges to burn their Ethereum and could be financially beneficial to the attacker minting GasToken. If there is no gasLimit and since sending ETH to a contract address executes its fallback function, attackers can make exchanges pay for large computations and drain the exchange’s hot wallet or mint GasToken for a potential profit.
Claim part 2: Exchanges were notified of this vulnerability in a private disclosure on Nov 13th and they have patched it since
In their public disclosure, LevelK announced that they had contacted exchanges in a private disclosure prior to this post and revealed the vulnerability. To best of their knowledge, exchanges had fixed the issue.