Critical Bug Found in Ethereum Network, Exchanges Cease Working
April 27, 2018
Over a dozen of ERC-20 smart-contracts have been reported to contain bugs that allow for criminals generate tokens.
Though errors found on April 22 and 24 are not connected with the ERC-20 standard, a number of exchanges have stopped trading ERC-20 tokens while investigation underway. Those include Poloniex, Changelly, Quoine and HitBTC.
Once a hacker obtained as much as 57,9 octodecillion (10^57) of BeautyChain tokens with $2.5 for each which means the hacker is the wealthiest man ever. But unfortunately for him, this is just a theory.
“Our study shows that such transfer comes from an 'in-the-wild' attack that exploits a previously unknown vulnerability in the contract. For elaboration, we call this particular vulnerability batchOverflow. We point out that batchOverflow is essentially a classic integer overflow issue”, a post by blockchain security firm PeckShield explains.
The post on batchOverflow describes how the batchTransfer function in a smart-contract has maximum number of tokens that can be sent in a transaction and adds the number of tokens sent must be less than that of all tokens generated. Nonetheless, “_value” parameter (one of the two defining general number of tokens) can be manipulated which alters the other one. As a result, hacker can generate as many tokens as he wishes to.
Fabian Vogelsteller, developer who first suggested the ERC-20 standard, has claimed errors that such bugs just prove that we need better and more innovational tools and methods for detecting them.