Dangerous Bug in ERC-20 Token Code Found

Exchanges Suspend ERC-20 Token Support

A new smart contract bug found in ERC-20 token code has caused Hong-Kong based cryptocurrency exchange OKEX to suspend all ERC-20 token deposits. This exchange is the third largest in the cryptocurrency world by trade volume. The move to suspend deposits happened on April 25th. The bug in question is known as BatchOverFlow. Coinone, Poloniex, and HitBTC have also taken preventative measures to ensure that their user’s funds remain intact.

A Classic Bug in a New Form

In computing, an overflow bug happens when the value for a variable in a function or memory address exceeds its maximum and creates errors. In the ERC-20 code, there is a function called batchTransfer that takes two different values as inputs, known as parameters. The second parameter can be arbitrarily set very large, and this is where the errors start happening. This exploit creates a chain of errors that essentially lets an attacker generate an enormous amount of ERC-20 tokens from nothing, such as the massive transfers that can be found on BeautyChain, just take a look at this block explorer: https://etherscan.io/token/0x5652ef57783eb0a9538d15bd94e52f932aac5311

A Difficult Bug to Exterminate

Because of the “code-is-law” philosophy and the modular structure of the Ethereum smart contract platform, the bug can take some time to fix globally. Since miners control the network, the majority must agree on a code improvement for it to be implemented. There was a time in the past where a rollback was issued on the Ethereum network to give back investors money lost to a scam. This event led to the hard-forking of the Ethereum blockchain, where Ethereum is the modified chain and Ethereum classic is the unchanged chain with the scam transactions intact, adhering to “code-is-law”. Another hardfork will be devastating to Ethereum; the best fix for this issue will probably be in the form of a soft-fork.

Originally published at ChainReport.