Quantstamp’s assessment of the recent batchOverflow and proxyOverflow vulnerabilities

Jonathan Haas
The vulnerable batchTransfer function

batchOverflow and proxyOverflow present an unfortunate but critical message: smart contract auditing is vital. The bugs themselves are fairly simple and are able to be executed readily. These bugs work by performing an attack known as “integer overflow.” Integer overflow occurs when trying to place an integer (a whole number) into a space in memory that is too large for the integer data type.

In application, what this means is that by flooding the system with a number too large for use an attacker could create an additional supply of tokens that do not exist within the system. For exchanges, this presents an immense attack vector, as token minting can occur without necessary sanity checks that properly assure issuance of the token. In relevant transactions, this will appear to mint tokens out of seemingly nothing.

That is how the bugs were initially caught. On April 22nd, PeckShield’s automated system scanning for unusual activity in ERC20 token transfers noted that an anomalously large amount of token had been transferred in BEC (BeautyChain). After the transfer, the PeckShield team analyzed the BeautyChain contract for vulnerabilities — and found batchOverflow. A brief synopsis is available on Medium concerning batchOverflow and proxyOverflow.

Although not every ERC20 token was open to this vulnerability — and it should be noted that the flaw is not within the ERC20 standard itself — many contracts were published that never were checked for these potential exploits.

To serve our community, Quantstamp has contacted affected tokens and their relevant exchanges to assist at cost. We won’t be making a profit from our effort to make the Ethereum ecosystem more secure.

Catching vulnerabilities before contracts go live is a better solution than rapid patches. We would love to help you solve these issues in advance, please contact security@quantstamp.com for more information.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade