ERC-20 Tokens Manipulated By Hackers Due to Bugs and Integer Overflows Within their Smart Contracts
Numerous ERC-20 smart contracts have been diagnosed with serious bugs which had been allowing hackers to generate outrageous amounts of new digital tokens. The bugs were found earlier this week by Peckshield (A cyber security firm specializing in blockchain), on April 22 and April 24 to be precise. In spite of the fact that the identified bugs may not be directly tied to the ERC-20 standard, many crypto exchanges have opted to halt all actions pertaining to ERC-20 digital tokens until further notice. Some of these exchanges include giants like Poloniex and Changelly.
Huobi Pro, which is arguably the most secure exchange in operation, announced publicly that they would be halting all coins from the being dealt with by users. However, since, they have retracted to only suspending ERC-20 tokens. Huobi had pointed out clearly on their website..” We have already suspended deposits and withdrawals of all coins. Once we have rectified this issue, we will resume all deposits and withdrawals. The safety of our users’ wallets are our top priority. We apologize for any inconvenience caused during this period.” Huobi has time and time again proven to have stellar security measures. Earlier this year Huobi announced their “Huobi Buybacks” initiatives where Huobi will buy back large amounts of HTs and store them in reserves in case there may be a security breach and compensation must be given to users affected. In addition, Huobi has never been hacked or breached into.
Let’s analyze the bugs, what the hackers were able to accomplish, and what exactly transpired. An insane example of a hack that transpired, had a 57.9 * 10⁵⁷ BeautyChain Tokens stolen. When the occurrence appeared recorded on etherscan, investigations were initiated. Peckshield announced.. “Our study shows that such transfer comes from an ‘in-the-wild’ attack that exploits a previously unknown vulnerability in the contract. For elaboration, we call this particular vulnerability batchOverflow. We point out that batchOverflow is essentially a classic integer overflow issue.” The BatchOverflow post outlines a maximum amount of digital tokens permitted to be transacted through the BatchTransfer function in a smart contract. Furthermore, it adds that the value of all tokens being transacted need be below the total amount of digital tokens generated. Nevertheless, certain parameters including “_value” can be manipulated, thereby changing variables and allowing hackers to generate an infinite amount of tokens. Another network dubbed “SmartMesh” also was hacked into, and a report on etherscan testified how ridiculous the breach was. To be more graphic:
An individual transferred:
With a dollar value of:
OKex ended up suspending ERC-20 tokens following the discovery of this transaction. In addition, SmartMesh announced “The SmartMesh Foundation will take the equivalent amount of SMT to the counterfeit amount and destroy it to make up for the losses caused, and keep the total supply of SMT at the value of 3,141,592,653.”
By Jaime Gutt.