A recently discovered programming error can make some crypto tokens susceptible to hackers. The exploit allows a hacker to pass an unusually high value to the exchange and get a ridiculous number of tokens in exchange, a problem that has caused the Okex exchange to shut down all token trading, including one called BeautyChain (BEC).
What’s really interesting is how the hack worked. As you can see above, a line in the smart contract creates another value — amount
— by multiplying cnt
and _value
. The hackers made a transfer and set the value to eight vigintillion — an eight with 63 zeroes. When this value is passed, the code overflows, allowing the hacker to gain a massive number of tokens. Thanks to the smart contract’s “code-is-law” principal, each of these transfers are technically legitimate.
“There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!” wrote one researcher on Medium. “With that, we further run our system to scan and analyze other contracts. Our results show that more than a dozen of ERC20 contracts are also vulnerable to batchOverflow.”
In response, Okex shut down all ERC-20 tokens, but there are other exchanges and tokens susceptible to the hack.
“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack,” Okex wrote.
Image via MelisaDrucker who makes some unusually cool subway token earrings.