Ethereum’s smart contract bugs just keep on coming. Exchanges including
Okex, Poloniex, Coinone, and Hitbtc today suspended deposits of ERC20 tokens
following the discovery of a batch overflow bug written into the smart
contracts governing numerous coins. The news comes in the same week that the
ethereum community voted against restoring the lost ether that was locked up in
the Parity smart contract bug last year.
Ethereum Tokens Battle a Nasty Bug
Creating
an ethereum token that is free from exploitable bugs is a lot harder than it
sounds. Earlier this year researchers claimed to have found 34,000 ethereum smart contracts that are vulnerable to
bugs and a blog post authored this week has
zeroed in on one in particular: a batch overflow bug that affects ERC20 smart
contracts. Its discovery is serious enough to have prompted Okex to announce the suspension of ERC20
token deposits, writing:
We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – “Batchoverflow”. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.
Okex added: “To protect public interest,
we have decided to suspend the deposits of all ERC-20 tokens until the bug is
fixed. Also, we have contacted the affected token teams to conduct
investigation and take necessary measures to prevent the attack.” Numerous other
exchanges have followed suit.
Squishing Bugs Is a Never-Ending Battle
The possibility of attackers being able to steal, freeze, or
duplicate ERC20 tokens is a nightmare scenario for any projects building on the
ethereum protocol, as well as for existing tokens, whose teams will now be
closely scrutinizing their code for vulnerabilities. One of the tokens affected
is Smartmesh (SMT), an ERC20 that is tradeable on Huobi, Gate.io, Hitbtc, and
Okex. Its smart contract currently shows signs of blatant exploitation, with a
token balance and token value that run to over 30 figures. Hundreds of billions
of SMT have been transferred from the Smartmesh smart contract in the past 24
hours.
The batch
overflow blog post published
on April 22 also identifies the Beautychain (BEC) token as having fallen prey
to the same exploit. Its author writes: “We further run our system to scan and
analyze other contracts. Our results show that more than a dozen of ERC20
contracts are also vulnerable to batchoverflow. To demonstrate, we have
successfully transacted with one vulnerable contract (that is not tradable in
any exchange) as our proof-of-concept exploit.”
While the ERC20 tokens that have been affected by this
exploit appear to comprise lesser known coins, the risk the bug presents is not
limited to these projects alone. If attackers can create tokens out of thin
air, they can then trade these on exchanges for ethereum or bitcoin, which has
the potential to affect the price of these assets and to affect confidence in
the ethereum ecosystem in particular. With the war for next generation
blockchains heating up as competitors such as EOS prepare to launch, smart
contract bugs are a burden that ethereum could do without.
No comments:
Post a Comment