OKEx, the third-largest exchange in the world by trade volume, just suspended ERC20 activity due to a vulnerability they are calling BatchOverFlow.
“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug—’BatchOverFlow’. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers,” the company wrote in its support announcements.
The specific problem with ERC20 is that it doesn’t return any errors when integers are overloaded. It just keeps running the code. This may allow hackers to “overload” the integer to a point that it creates what is known in the programming community as an “overflow.”
[telegram-banner]
Reverse-engineering an attack
BeautyChain was among the first to fall victim to such an attack on Sunday, when attackers generated 10^58 (that’s a one with 58 zeros after it) BEC tokens by taking advantage of an integer overflow vulnerability in the “batchTransfer()” function of its smart contract code.
“At 13:18 on April 22, 2018, BEC’s prices fluctuate [sic] significantly due to the smart contract safety issue on the BEC. After the study by the Beauty Chain Foundation, the Beauty Chain has suspended all transactions and transfers,” the organization’s site currently reads.
By looking at the smart contract code, we can spot the “batchTransfer()” function and find that it passes three arguments, including one called “_value”, representing the quantity of tokens that should be sent to an array of addresses which is passed into the function as “_receivers”.
The “_value” integer is the problem here. The hackers could just pass a “_value” with an astronomically huge number and the function will cave in without performing the checks it should. By defaulting to zero, the conditional “require()” later in the code doesn’t do its job and the platform sends the impossibly enormous amount of tokens to the hackers.
Beauty Chain’s announcement of suspension made its BEC token lose half its value despite the fact that the team managed to pause the smart contract before the hackers could cash out their tokens. The startup promised that it would work on launching a patched contract in the near future.
The dangers of copycatting
OKEx used the word “many” to describe the proportion of ERC20 tokens affected by this bug for a reason. There are a lot of them using smart contracts with this particular batch function.
When code is standardized and copied from one smart contract to the next instead of written from scratch, the lack of diversity exposes the weaknesses in the collective ecosystem. To prevent these sorts of situations, ERC20 smart contracts should be written without using code generators. And for that, one would need the resources to hire skilled coders.
For now, OKEx said that it has the situation under control and has “contacted the affected token teams to conduct an investigation and take necessary measures to prevent the attack.” However, it’s important to note that smart contracts are not infallible and companies should do their best to audit their code, perhaps even involving bug bounties to ensure that they get the most talented individuals possible to hunt for potential vulnerabilities.
This article appeared first on Cryptovest