On July 8th, 2018, John Wick Security Lab revealed highly risky transactions in AMMBR(AMR) contract. It contains an integer overflow bug that could be made use of by hackers calling batchTransfer(), resulting in transferring out tokens without limits.
After reviewing source code, SECBIT team has found that this issue paralleled with the former BEC Token issue [1]. A variable named totalTokensToTransfer in multiTransfer() stands for the sum of tokens transferred out, which is computed by summing up all tokens[i], and the contract checks if the balance exceeds totalTokensToTransfer.
This function seems fine with the check on the balance of msg.sender at first glance. However, it is possible for the sum of tokens[i]to be so great as to cause an overflow in totalTokensToTransfer. If this value gets overflowed to a tiny one smaller than balances[msg.sender], the hacker could bypass the check and transfer out more tokens than the balance.
AMR got deployed dozens of days ago with nearly 300 online transactions. The most recent transfer occurred on July 8th.
This token contract has already been launched on a few exchanges and remains active.
The issue has been indexed in a collection of vulnerabilities in ERC20 smart contracts with tokens affected [2] maintained by SECBIT and partners [3]. We would update info of buggy token contracts continuously.
SECBIT team warns that the developing team and exchanges should take measures immediately for patching, token holders are also suggested to stay alert. When deploying token contracts, please take extreme care in reviewing, testing and assessing code. If needed, seek for help from professional auditing teams to get rid of risks in advance.
References
[1] A Disastrous Vulnerability Found in Smart Contracts of BeautyChain(BEC) https://medium.com/secbit-media/a-disastrous-vulnerability-found-in-smart-contracts-of-beautychain-bec-dbf24ddbc30e
[2] A Collection of Vulnerabilities in ERC20 Smart Contracts With Tokens Affected https://github.com/sec-bit/awesome-buggy-erc20-tokens
[3] Token Contract Risk List — A Joint Open Source Project By Loopring & SECBIT https://medium.com/loopring-protocol/token-contract-risk-list-a-joint-open-source-project-by-loopring-secbit-85df8fff55e1
All data above comes from SECBIT, please send emails to info@secbit.io if interested.
SECBIT was founded by a group of cryptocurrency-enthusiasts. We are doing research on smart contract security, smart contract formal verification, crypto-protocols, compilation, contract analysis, game theory and crypto-economics.
