28 total views, 1 views today
Hong Kong-based OKEX, the third largest cryptocurrency exchange in the world by trade volume, suspended all ERC20 token deposits April 25 after the discovery of what developers say is a “new smart contract bug.”
In a statement published Tuesday, OKEX announced the suspension of deposits, explaining that attackers have exploited a newly-discovered smart contract bug called “batchOverflow” to generate “an extremely large amount of tokens” out of thin air and then deposit them into a normal Ethereum address.
From the statement:
“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – ‘BatchOverFlow’. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”
“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack,” the exchange operator added.
Changelly, a cryptocurrency trading service that acts as a broker between users and exchanges, has also suspended ERC20 token trading in response to the exploit.
Dear Customers, ERC20 tokens are temporarily unavailable due to an exploit check. We will bring them back, once we are sure there is no vulnerability in deposits received. Follow the updates! https://t.co/qYutri4X3X
— Changelly.com (@Changelly_team) April 25, 2018
A Medium post published over the weekend claims to have discovered the vulnerability, which the author says affects “more than a dozen ERC20 contracts.”
According to the post, batchOverflow is a “classic integer overflow” issue, which occurs when an operation attempts to use a numeric value outside of the range that the variable is able to represent with its allocated number of bits.
The post includes a proof-of-concept, which appears to show the researchers generating a nearly unlimited amount of tokens from a vulnerable ERC20 token contract.