Quantstamp’s security assurance on the OmiseGO token contract in the context of batchOverflow and proxyOverflow

Jonathan Haas
Apr 26, 2018 · 2 min read
A snippet of the OMGToken Contract

When Quantstamp performs an audit, we traditionally look for a menagerie of vulnerabilities, attempting to unearth structural deficiencies in the code while also identifying common pitfalls. Concepts such as reentrancy, bad randomness, and transaction ordering dependence (amongst many others) are all topics we touch upon in a full scope audit.

In this particular instance, Quantstamp focused explicitly on two specific vulnerabilities, batchOverflow and proxyOverflow with the same inherent premise — integer overflow.

OmiseGO took many precautions in the construction of the OmiseGO token, notably through utilizing the SafeMath library in every instance of arithmetic being performed.

While this does introduce a gas overhead (mainly on deployment), performing arithmetic through this methodology explicitly checks for instances of integer overflow, and in the case that an integer overflow/underflow is present, the SafeMath library allows for reverting to a previously safe state (through usage of assert).

assert(false) compiles to 0xfe, which is an invalid opcode, using up all remaining gas, and reverting all changes. While this may sound a bit extreme, properly functioning code should never reach this failing assert statement — which makes it ideal for usage in the case of integer overflow.

StackExchange provides a fairly simplistic example (provided below) of seeing this in action — in which utilizing the safeSubtract function avoids integer underflow caused through subtraction.

import “./SafeMath.sol”;

contract TestSafeMath {
using SafeMath for uint256;

function unsafeSubtract() public pure returns (uint256) {
uint256 a = 0;
return a — 1;
}

function safeSubtract() public pure returns (uint256) {
uint256 a = 0;
return a.sub(1);
}
}

This publication is part of Quantstamp’s assessment of the recent batchOverflow and proxyOverflow vulnerabilities and our commitment to the community.

We would love to help you solve these issues in advance, please contact security@quantstamp.com for more information.