According to Ether.Camp’s white paper, their Hacker Gold token (HKG) isn’t primarily a store of value, it acts more as a reputation marker. HKG tokens were issued during the incubation period of the Ether.Camp Hackathon competition and they allowed interested parties to buy other tokens of individual startups. However, it was just discovered that the HKG token’s contract code happens to have a bug in it.
The bug was only recently discovered by Zack Coburn, a developer whose main projects are Etherboost, a decentralized trading hub, and FirstBlood, an Ethereum eSports rewards platform. After getting in contact with Ether.Camp’s CEO & Founder Roman Mandeleil, Coburn was asked to submit a vulnerability report on GitHub, which can be viewed here.
The bug was found in the transferFrom() function of the HKG token contract. Exploiting this vulnerability would allow a bad actor to reset an account balance. This bug is significant enough to warrant a reissuing of HKG tokens after a fix is made. The entire vulnerability was made possible because of a minuscule snippet of code that read “=+” instead of “+=.” Vitalik Buterin himself chimed in on a reddit discussion about the bug, writing:
IMO this is a matter of language unintuitiveness; =+ should not be legal. I'll be checking Serpent and Viper for this. One way an FV checker could have prevented this though if it was standard for currencies to include an invariant that the total supply never changes.
In the vulnerability report, the recommended fix is to create a new HKG contract that corrects the bug, as well as restores all account balances to what they were before the bug reared its ugly head. Dapps that internally track the balances of HKG will need to be taken into account, while exchanges and token holders will also need to be notified about any new token contract. Because the flawed StandardToken code that initially created the HKG token was used to create all hack.ether.camp team tokens, those tokens are affected as well.
ETHNews reached out to Ether.Camp, but they declined to comment while work is underway to fix the flaw. We may expect to hear from them about this developing story in a few days.
Originally, Zeppelin had performed an audit of the HKG token code and found no severe security problems. This only serves to show how sneaky even the smallest bugs can be, even surviving a public code audit. Ultimately, this speaks to the importance of using proven code and performing rigorous tests when writing smart contracts.
The entire blockchain ecosystem suffers when situations like this reflect insecurities. Bugs are always going to plague computer code, but when found in such a fledgling field, they are scrutinized and can cause skepticism. To ensure the safety and reliability of any code written, it’s important to follow industry standard best practices. When Ethereum encounters a bug, investors may get nervous, but as developers continue learning from their mistakes and others’, the system as a whole becomes stronger and more resilient, leading to a more secure Ethernet ecosystem in the end.