ETHERLive
ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.

---

24hr ---
--%
Thursday May 24th 2018
RESOURCES

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More
SUBMIT

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story

Explanation

Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
---
--%
Home
News
Etherlive
Ether Price Analysis
Resources
Contact Us

Contract Exploits Spark ERC20 Token Suspensions Across Several Cryptocurrency Exchanges

By

Jordan

Daniell

WriterETHNews.com

Function exploits found in electronically distributed code contracts of ERC20 tokens have caused a flurry of concern at cryptocurrency exchanges. While no vulnerabilities have been detected in the ERC20 token standard itself, several cryptocurrency exchanges have taken precautionary measures due to the findings.

Two recently discovered vulnerabilities in some EDCCs (also called smart contracts) of ERC20 tokens have caused several cryptocurrency exchanges to suspend activities related to them.

OKEx, Changelly, Poloniex, QUOINE, and HitBTC all announced respective actions that included internal investigations as well as suspensions of deposits, withdrawals, and/or transfers of the Ethereum-based tokens.

Importantly, no vulnerabilities have been detected in the ERC20 token standard itself and, as noted by one reddit user, at least one of the two similar bugs was a function added to an EDCC

The offending software bugs are named "batchOverflow," discovered on April 22, and "proxyOverflow," discovered on April 24, and were brought to light on the Medium publishing platform.

Although these particular exploits would potentially allow hackers to gain incredibly large sums of tokens, they aren't distinctly novel in design. The Medium author noted that "batchOverflow is essentially a classic integer overflow issue," and the same can said for proxyOverflow.

With regard to computer programming, "integer overflow" is the result of a design flaw, usually occurring when mathematical operations in a given system create a value outside the representable range of the system. 

The batchOverFlow exploit, for example, was discovered by tricking ERC20 contract logic in this way. According to researchers, the programmed sanity checks designed to authenticate transactions were fooled by spoofed amount values.

Rather than exploiting the ERC20 contracts with a technically complex approach, researchers highlight how mathematical creativity and rudimentary contract programming played a larger role in the discovery of this exploit, which they explained via a screenshot containing fewer than 15 lines of code.

Source

By entering a "_value" of 8 vigintillion (which has 63 zeros), researchers invalidated the logic checks designed to validate whether the "_value" is possible or not. This was based on multiplying "cnt" by the "_value," an equation represented in line 257 of the example contract code.

The product of this equation is the "amount" and it should be mathematically verifiable. However, according to the author, a two-step process is capable of starting the batchOverFlow exploit from this position.

First, they passed two "_receivers" into the vulnerable batchTransfer function with the 8 vigintillion "_value," causing the amount to "overflow" and resetting it to zero (similar to a car's odometer that resets to zero after 999,999 miles instead of continuing on to 1 million, even though the car is still being driven).

The zeroing of the amount, as addressed in line 259, is why the contract's logic check failed. Moreover, the author noted, "With amount zeroed, an attacker can then pass the sanity checks in lines 258-259 and make the subtraction in line 261 irrelevant." Finally, in lines 262-265, the balance of both "_receivers" under the now-infracted contract would be added to the ridiculously huge "_value. "

The author expressed further concerns:

"With the touted 'code-is-law' principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!"

Contract security has been increasingly pushed to the forefront of Ethereum initiatives as of late, especially in light of the much-debated Parity hard fork proposal.

"A proper way to recover from these vulnerabilities and devastating effects requires coordination and support from all eco-system members," wrote the author. "We cannot over-emphasize the importance of performing a thorough and comprehensive audit of smart contracts before deployment."

At press time, some exchanges, including Poloniex, have resumed support for ERC20 tokens. 

Jordan Daniell

Jordan Daniell is a full-time staff writer for ETHNews with a passion for techno-social developments and cultural evolution. In his spare time, he enjoys astronomy, playing the bagpipes, and exploring southern California on foot. Jordan lives in Los Angeles and holds value in Ether.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest ERC20, token or other Ethereum wallets and exchanges news.