The CVE-2018–10299 Vulnerability

For the last few days, the crypto community has been discussing a new vulnerability in the Smart Contracts of tokens based on the ERC-20 standard. We have also studied this case with great interest.

This is not an ERC-20 vulnerability

This error is often called a vulnerability in the ERC-20 standard. This is not the case, and the batch processing block in which the error was detected is not part of the ERC-20. In the examples mentioned in the articles, the batchTransfer is described as an additional functionality designed to transfer the same number of tokens to multiple recipients (for example, in the case of airdrops).

“Production” of Errors

As it usually happens, the error is obvious if you know where to look. In this case, it is even a case of several errors.

The first of them is ignoring the already established de facto Safe Math library in critical cases (no one will argue that balancing verification is a very critical case). In particular, if instead of simple multiplication a function like the one below would be used:

In this case, the vulnerability would not have occurred.

The second error is the absence of restrictions on evoking such packet transfers. Obviously, such a scenario is rarely required and most often should be used by a limited number of users (such as contract owners or founders).

The third common mistake is the thoughtless replication of written code without critical revision. This is what usually makes such vulnerabilities so widespread.

Cheers

^_^