Quantstamp’s assessment of the recent batchOverflow and proxyOverflow vulnerabilities

The vulnerable batchTransfer function

batchOverflow and proxyOverflow present an unfortunate but critical message: smart contract auditing is vital. The bugs themselves are fairly simple and are able to be executed readily. These bugs work by performing an attack known as “integer overflow.” Integer overflow occurs when trying to place an integer (a whole number) into a space in memory that is too large for the integer data type.

In application, what this means is that by flooding the system with a number too large for use an attacker could create an additional supply of tokens that do not exist within the system. For exchanges, this presents an immense attack vector, as token minting can occur without necessary sanity checks that properly assure issuance of the token. In relevant transactions, this will appear to mint tokens out of seemingly nothing.

That is how the bugs were initially caught. On April 22nd, PeckShield’s automated system scanning for unusual activity in ERC20 token transfers noted that an anomalously large amount of token had been transferred in BEC (BeautyChain). After the transfer, the PeckShield team analyzed the BeautyChain contract for vulnerabilities — and found batchOverflow. A brief synopsis is available on Medium concerning batchOverflow and proxyOverflow.

Although not every ERC20 token was open to this vulnerability — and it should be noted that the flaw is not within the ERC20 standard itself — many contracts were published that never were checked for these potential exploits.

To serve our community, Quantstamp has contacted affected tokens and their relevant exchanges to assist at cost. We won’t be making a profit from our effort to make the Ethereum ecosystem more secure.

Catching vulnerabilities before contracts go live is a better solution than rapid patches. We would love to help you solve these issues in advance, please contact security@quantstamp.com for more information.




ceo @ threatkey

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DBSync Blogs | 8 Convincing Reasons to Opt for Cloud Integration

Home automation — Is it safe to log on from a remote location?

A smart home requires also a defensive strategy. Especially when you make the smart home brain accessible from the Internet.

Your privacy and data monetisation in new regime of GDPR

{UPDATE} First Words Halloween Hack Free Resources Generator

Real Life Examples Of Web Vulnerabilities (Revised with OWASP 2017)

Cardano Looks Ready to Accident to $0.50

Introducing Fennec NFT

Online identity theft in Malta

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Haas

Jonathan Haas

ceo @ threatkey

More from Medium

Accessing Ethereum Archive Nodes with Infura

Cover image for the article: Accessing Ethereum Archive Nodes With Infura. Has the ethereum logo on top of the title and infura logo beneath the title

Beating Ethernaut: level 7 Force

NEXT SMART Chain, MAIN NET release v1.0 (Orion)

How to deploy an Application on IPFS using 4EVERLAND CLI