Overflow error shuts down token trading


via TC

A recently discovered programming error can make some crypto tokens susceptible to hackers . The exploit allows a hacker to pass an unusually high value to the exchange and get a ridiculous number of tokens in exchange, a problem that has caused the Okex exchange shut down all token trading including one called BeautyChain (BEC).

What’s really interesting is how the hack worked. As you can see above a line in the smart contract creates another value – amount – by multiplying cnt and _value. The hackers made a transfer and set the value to eight vigintillion – an eight with 63 zeroes. When this value is passed, the code overflows allowing the hacker to gain a massive number of tokens. Thanks to the smart contract’s “code-is-law” principal, each of these transfers are technically legitimate.

“There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!” wrote one researcher on Medium. “With that, we further run our system to scan and analyze other contracts. Our results show that more than a dozen of ERC20 contracts are also vulnerable to batchOverflow.”

In response Okex shut down all ERC-20 tokens but there are other exchanges and tokens susceptible to the hack.

“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack,” Okex wrote.

4 Likes

A bug on Ethereum Smart contract virtually allows the hackers to generate a high amount of ERC20 tokens out of mid air. The exchange that noticed this was OKEx, and once they identified the bug they locked all deposits of ERC20 tokens from the exchange.

All ERC20 tokens are now at risk of price manipulation as the tokens thst were generated from the hack still hold value and could be sold off.

Fix? Never trust ethereum or ERC20 tokens. :man_shrugging:t4:

1 Like

@BTC_MJ only the small number of ERC20 smart contracts that have the buggy batchTransfer() function.

3 Likes

Hmmm crypto is such a hacker paradise right now…why aren’t these people hardening? Oh because they want that ICO $$$ kinda like MS did when they shipped Windows 98

I know this is sick…but I really love the chaos of crypto. It’s endless entertainment

3 Likes

This is what happens when programmers don’t do bounds checking.

Never trust ANY input, always check input for sanity and reject the input if it does not meet expected rules.

Think we need to send these programmers back to script kiddy school :wink:

Stay Fishy

3 Likes

💰 YEN · YouTube ·️ YEN.CAMP 🧠