The Hong Kong-based exchange stopped ERC20 trading today spil a result of a bug that permitted hackers to generate astronomical amounts of tokens on certain startups’ blockchains.
OKEx, the third-largest exchange ter the world by trade volume, just suspended ERC20 activity due to a vulnerability they are calling BatchOverFlow.
&ldquo,Wij are suspending the deposits of all ERC-20 tokens due to the discovery of a fresh wise contract bug&mdash,&rsquo,BatchOverFlow&rsquo,. By exploiting the bug, attackers can generate an utterly large amount of tokens, and deposit them into a natural address. This makes many of the ERC-20 tokens pasivo to price manipulations of the attackers,&rdquo, the company wrote te its support announcements.
The specific problem with ERC20 is that it doesn&rsquo,t terugwedstrijd any errors when integers are overcharged. It just keeps running the code. This may permit hackers to &ldquo,overcharge&rdquo, the rechtschapen to a point that it creates what is known ter the programming community spil an &ldquo,overflow.&rdquo,
Reverse-engineering an attack
BeautyChain wasgoed among the very first to fall victim to such an attack on Sunday, when attackers generated 10^58 (that&rsquo,s a one with 58 zeros after it) BEC tokens by taking advantage of an rechtschapen overflow vulnerability ter the &ldquo,batchTransfer()&rdquo, function of its brainy contract code.
&ldquo,At 13:Eighteen on April 22, , BEC&rsquo,s prices fluctuate [sic] significantly due to the wise contract safety punt on the BEC. After the probe by the Beauty Chain Foundation, the Beauty Chain has suspended all transactions and transfers,&rdquo, the organization&rsquo,s webpagina presently reads.
By looking at the brainy contract code, wij can spot the &ldquo,batchTransfer()&rdquo, function and find that it passes three arguments, including one called &ldquo,_value&rdquo,, indicating the quantity of tokens that should be sent to an array of addresses which is passed into the function spil &ldquo,_receivers&rdquo,.
The &ldquo,_value&rdquo, rechtschapen is the problem here. The hackers could just pass a &ldquo,_value&rdquo, with an astronomically meaty number and the function will cave te without performing the checks it should. By defaulting to zero, the conditional &ldquo,require()&rdquo, straks te the code doesn&rsquo,t do its job and the verhoging sends the impossibly enormous amount of tokens to the hackers.
Beauty Chain&rsquo,s announcement of suspension made its BEC token lose half its value despite the fact that the team managed to pause the clever contract before the hackers could contant out their tokens. The startup promised that it would work on launching a patched contract te the near future.
The dangers of copycatting
OKEx used the word &ldquo,many&rdquo, to describe the proportion of ERC20 tokens affected by this bug for a reason. There are a loterijlot of them using wise contracts with this particular batch function.
When code is standardized and copied from one clever contract to the next instead of written from scrape, the lack of diversity exposes the weaknesses ter the collective ecosystem. To prevent thesis sorts of situations, ERC20 clever contracts should be written without using code generators. And for that, one would need the resources to hire skilled coders.
For now, OKEx said that it has the situation under control and has &ldquo,contacted the affected token teams to conduct an investigation and take necessary measures to prevent the attack.&rdquo, However, it&rsquo,s significant to note that clever contracts are not infallible and companies should do their best to audit their code, perhaps even involving bug bounties to ensure that they get the most talented individuals possible to hunt for potential vulnerabilities.