Following the discovery of a smart contract bug, BatchOverFlow, which allowed attackers to generate tokens and deposit them in a wallet freely, the Hong Kong-based exchange OKEx has halted all Ethereum ERC-20 transactions on their platform on April 25, 2018.
BatchOverflow Bug Targets Smart Contracts
The blockchain security startup PeckShield discovered the smart contract bug. PeckShield have developed an automated system to scan and examine the transfer of ERC20 tokens on the Ethereum blockchain. The security startup published its finding on the company’s Medium page on April 22, 2018.
The PeckShield system flagged off as it detected an unusual transaction associated with the BeautyChain (BEC) token. The unusual activity recorded an operation trying to send large amounts of BEC tokens to two different wallet addresses.
After taking a closer look at the code of the affected smart contract, a new vulnerability was discovered that led to the attack. Additional information revealed that the hack affected 12 different ERC tokens. PeckShield team successfully transacted using this method with a non-tradable token to confirm the bug’s functionality,
In a statement, OKEx acknowledged the existence of the bug and asserted that they were “suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – ‘BatchOverFlow.’ By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”
— OKEx (@OKEx_) April 25, 2018
For now, there is no solution on how to fix the bug. The most practical conclusion would be to delist the vulnerable tokens on cryptocurrency exchanges in order to prevent cyber attackers from leveraging the vulnerability. Another obstacle to closing this security loophole stems from the building blocks of Ethereum itself. According to PeckSheild, with “the touted ‘code-is-law’ principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!”
An attacker could merely trade generated tokens for significant coins like BTC, ETH, or even the U.S. dollar. The opening for hackers can adversely affect the entire crypto market as values of specific coins could experience sharp fluctuations in price.
What is your take on the new smart contract bug? Share your views in the comments section.