Statement on Asset Security from the Nebulas Tech Team
Following the recent hacks into SMT (SmartMesh token)and MyEtherWallet, we have received questions from our community about the security of the Nebulas platform. Nebulas smart contracts do not contain similar loopholes as SMT, please feel free to use the Nebulas contract. Meanwhile, the Nebulas team reminds MEW wallet users to pay attention to the DNS hijacking of MEW wallet. Please ensure the safety of your personal assets before the token swap.
The security holes present in SMT and BEC do not exist in Nebulas contracts.
Smartmesh officials warned on April 25 Beijing time that it had a contract loophole that could allow it to receive large amounts of tokens through overflow attacks. This came after a contract loophole was released by Mito BEC. Exchanges such as Huobi immediately stopped SMT trading. Smartmesh officials now say the problem has been solved.
Following these two incidents, Nebulas token holders have expressed concerns about the contract security of NAS. To avoid the potential risks, Okex temporarily stops charging all ERC 20 tokens.
The Nebulas tech team reviewed the situation and analyzed the hacking methods used against SMT and BEC at the first time. We also ran a test to see if NAS is resistant to the overflow hacks and the results show that there is no such loophole. Please feel free to continue using Nebulas contracts.
The reason for SMT incident lies in its smart contract, Line 206: (https://etherscan.io/address/0x55f93985431fc9304077687a35a1ba103dc1e081#code)
When _feeSmt + _value overflows, _feeSmt + _value will be less than 0, then even if the transaction sponsor’s account does not have enough money, it can also successfully pass the account balance check in Line 206, and increase _value of Token in Line 214.
Looking at the first attack of this event, you can see that the attacker has cleverly combined the parameters of _ value and _ feeSmt so that their sum just overflows and causes the attack.
Nebulas contract (address):
https://etherscan.io/address/0x5d65D971895Edc438f465c17DB6992698a52318D#code
Nebulas contract is a very standard ERC 20 contract. All parameters related to token values have done an overflow check, so there is no such loophole.
Nebulas team welcomes technical assistance in checking Nebulas contract loopholes.
If a loophole is found, please send an email to: contact@nebulas.io. The Nebulas team will review the feedback and give some reward correspondingly.
Risk Warning about the Potential DNS in MyEtherWallet
MyEtherWallet (MEW), the world’s leading Ethernet wallet, tweeted on April 24, Beijing time that some users were held hostage by DNS in some areas, resulting in property losses. MyEtherWallet has now taken urgent steps to resolve the issue. MEW officials say the problem has been solved, and they have issued the following safety guidelines:
Nebulas team reminds you to keep your personal assets safe before the token swap. If your NAS ERC 20 token is currently on the exchange, then we recommended to operate token swap directly via the exchange. If your NAS ERC 20 token is in a personal wallet, make sure to select a secure wallet and follow the wallet’s official security guidelines to ensure asset security.
To keep your assets safe, Nebulas official don’t offer online wallets for the time being. Users need to download Nebulas web wallet on Github and run it on their own PC.
Please refer to the published web wallet tutorial for instructions.
Web wallet tutorial:
https://medium.com/nebulasio/creating-a-nas-wallet-9d01b5fa2df6
Special note: Following the Eagle Nebula mainnet launch in late March, the Nebulas team is preparing to announce future plans and tutorials for our upcoming token swap. These will be released soon, stay tuned.
Learn more about Nebulas:
Official website: Nebulas.io
Github: github.com/nebulasio/go-nebulas
Slack: nebulasio.herokuapp.com
Telegram(EN): t.me/nebulasio
Twitter: @nebulasio
