batchOverflow Bug Affecting ERC-20 Tokens Such As Smartmesh – What Happened?
Just a few days ago panic hit the world of crypto as MyEtherWallet was attacked via a global DNS hack, leading to a fairly significant loss of funds for several affected users. This Wednesday 26th, Ethereum’s streak of bad luck continued, as several exchanges had to suspend deposits of ERC-20 tokens following the discovery of the so-called “batchOverflow” bug.
- PeckShield, a blockchain security company, detected suspicious activity of ERC-20 token transfers – in terms of huge transactions being carried out – and sent out an alert.
- Huobi Pro, Poloniex, and OKEX all quickly suspended trading, as well as withdrawals and deposits.
- SmartMesh (SMT) claimed their smart contract was attacked as well, though Huobi’s system detected the abnormal transactions and didn’t credit them.
- The bug isn’t tied to the ERC-20 standard directly, but the fact that ERC-20 tokens were hit led to them being suspended while the exchanges in question investigated the situation.
Due to unforeseen circumstances, Huobi Pro has suspended the deposits & withdrawals of ALL coins. This is for the safety of all users.
Once the SMT problem had been resolved, we will resume all deposits & withdrawals. Details, pls visit https://t.co/eXDf41OXzo
— Huobi Pro (@Huobi_Pro) April 25, 2018
Events such as this demonstrate the value of a good exchange. While a few exchanges like Huobi Pro acted quickly and transparently to make sure their users’ funds were secure, it is not always the case, with users often being left in the dark by their exchanges – Mt. Gox and BitGrail come to mind. Additionally, a project such as Quantstamp – a smart contract auditing project which we analysed here – also shows its worth, as it is likely that these defective smart contracts would have been stamped out early on before they had even gotten close to exchanges.
How did it happen?
An integer overflow – the bug’s namesake – is a classic computer error which occurs when trying to place an integer (a whole number) into computer memory that is too big for the integer data type in a system. When the number exceeds the limitations of the system, it “overflows” and wraps around back to 0. By manipulating the smart contract’s vulnerable batchTransfer() function, the _value condition can be changed to become abnormally huge and overflow to 0. When amount is zeroed, a sanity check (which should normal prevent an attacker proceeding) is easily bypassed, and the sum of the huge _value condition is generated in tokens and can be sent, as can be seen below – the transaction log of which can be seen here. PeckShield, after discovering this, analysed other contracts and found that over a dozen ERC-20 contracts are vulnerable to this same bug.
If this wasn’t bad enough, there are two more worries that PeckShield notes. First off, due to Ethereum’s “code is law” principle “there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.” Considering there are still exchanges where coins with this bug are tradable, not to mention the issue of decentralised exchanges who inherently have no real way of countering the sale of these fraudulent tokens, it looks like this issue may still take some time to play out.
Second is that an attacker who can perform this on various vulnerable coins (really only one is needed, considering the amount of tokens generated) could potentially generate vast amounts of tokens and send them to an exchange, to be turned into BTC, ETH, or any other crypto – even fiat currencies. If so, they would hold such a vast war chest that they could easily manipulate the markets of many coins.
Disclaimer: This is a sponsored post.