Alert! Another integer overflow vulnerability just found in HXG smart contract.
A security research team (360 0KEE) from China found an integer overflow vulnerability in a couple of deployed smart contract.
https://etherscan.io/address/0xB5335e24d0aB29C190AB8C2B459238Da1153cEBA https://etherscan.io/address/0xe37b0c4c42e02c82a023d79600dc6465cfb94eb9 https://etherscan.io/address/0xcae348eeb5d0b9fd59a8fd179d8b3e8a7b871b5fThe smart contracts are similar, issuing ERC20 tokens for Hexagon (HXG/HEX). The vulnerability, in the transfer(...) function, may lead to unlimited token minting. Basically, anyone is able to mint a mass of tokens for any address.
The function calls another internal function, _transfer(...).
As shown below, the second line of the internal function _transfer(...) is supposed to ensure that the balance of _from be greater than _value, added by an addition constant burnPerTransaction.
Yes,you might notice that the odd constant, defined to 2, introduces the bug. If _value is given 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe, the sum will overflow to 0x0, smaller than any balance for sure. The attacker may call the function transfer(_to, 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe) to exploit the bug. Please make sure the balance of _to is zero so as to pass the third line of require checking.
The researcher made a successful [test] (https://etherscan.io/tx/0x129a321d4867b4144ff30865b87955def212d3f46b3973dd2c141978defa4e70) .
The integer overflow/underflow vulnerabilities would have been easily ruled out if the developers choosed SafeMath. Fortunately, the HXG token is neither listed on exchanges nor active on Ethereum.
Obviously, any smart contract developers ought to be serious about the security issues. Any small mistake can cause huge losses, like those happened to BEC and SMT tokens.
