Hyperinflation Vulnerability - Reading Assignment

1. How was the bug discovered?
   Alarm raised in the system, where an unusual amount was transacted.

2. What is this vulnerability called?
   batchOverflow

3. Which function is vulnerable?
   batchTransfer function

4. Why was the vulnerability present in several ERC20 tokens?
   it was more of a copy and paste code from previous ERC TOKEN and people didn’t really understand the concept…You can copy and paste code, but programmers need to understand what they are writing and understand the concept.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   With a smart contract once it’s written it becomes immutable meaning its law, but with everything in life. Things need to be flexible, So in future, there needs to be a balance when designing contracts.

6. How did exchanges react to this vulnerability
   Suspended trading by decentralised exchanges. OKE

1.- Because of a huge transaction that was executed.

2.- batchOverflow

3.- batchTransfer

4.- Because it is the standard.

5.- Because the code is immutable.

6.- suspending the token.

1. The bug was checked by tracking large amount of tokens be transfered
2. The vulnerability called batch over flow
3. batch Transfer
4. lack of knowledge, not care of contract writer
5. We can’t change the contract, we create a new contract only
6. They suspend the trading and frozen theses assets

1. How was the bug discovered?

• A token transfer monitoring system sent an alert when it noticed anomolous transfers.

2. What is this vulnerability called?

• batchOverflow (integer overflow issue within the batchTransfer function)

3. Which function is vulnerable?

• batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

• Developers typically will use code from what they deem stable projects in their own contracts, believing them to be in full working order, without little after thought. This practice still continues, BSC being a good example where entire contracts are copied with little consideration for the actual security of said contract, and when an exploit is discovered, the impact is widespread.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

• As it relies on the principal of immutability, which is desired, until errors are discovered. Some interfaces exist that allow for updating of contract functions and parameters, but this ability to alter displeases those who embraced blockchain for it’s immutability and itself provides malicious teams abilities to rugpull. However migration from a vulnerable V1 to a more secure V2 can be very damaging to a project user base and technically challenging especially if the project team are of the same type that would copy a full contract without auditing it first or use it as a point of reference and building upon/around it.

6. How did exchanges react to this vulnerability?

• Without coordination as is to be expected in a decentralized ecosystem. Again refering to BSC as an example, being more centralized can at times offer greater ability to prevent funds moving off chain once exploits or hacks have been identified, more decentralized = more ways to hide and obfuscate transactions for all including bad actors.

1. How was the bug discovered?
   A very large transaction amount sent out a red flag.

2. What is the vulnerability called?
   batchOverflow

3. Which function is vulnerable?
   function batchTransfer(address[] _receivers, uint _value) - a transfer function

4. Why was the vulnerability present in several ERC20 tokens?
   They all used the same code.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   You cannot change the code to fix the problem.

6. How did exchanges react to the vulnerability?
   They suspended trading and withdrawels of the affected coin.

1. How was the bug discovered?
   By automated system that scans and analyzes ERC-20 token transfers.

2. What is this vulnerability called?
   batchOverflow.

3. Which function is vulnerable?
   batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
   Because other tokens were created on top of BEC.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   Because you cannot change the contract that is based on Ethereum blockchain.

6. How did exchanges react to this vulnerability?
   OKEx exchange suspended the withdrawal and trading of BeautyChain.

1. How was the bug discovered?

An automated system raised an alarm which is related to two unusual BEC token transactions involving unreasonably large amounts.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?

Code was reused by other tokens also

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

Nobody has the right to censor the execution of code on the ETH blockchaing thus nobody can intervene when code goes haywire. You can’t call “the admin” and ask them to stop or undo wron transactions.

6. How did exchanges react to this vulnerability?

They stopped trading affected tokens.

Hi, Folks!

How was the bug discovered?
- automated system indentify transaction with extreamly big amount

What is this vulnerability called?
- batchOverflow

Which function is vulnerable?
- function which could be exploiting by hackers for broke security

Why was the vulnerability present in several ERC20 tokens?
- there were no best-practice approach for this vulnerability

Why is “code is law” mentality problematic when it comes to fixing bugs?
- its hard to make changes for decentralized exchanges, when transactions are executing between users not in one central center

How did exchanges react to this vulnerability?
- exchanges suspended the withdrawal and trading of BEC

1. How was the bug discovered?
A blockchain security company flagged an unusual transaction due to the transfer of a large amount of tokens

2. What is this vulnerability called?
batchOverflow

3. Which function is vulnerable?
batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
The snippet of code was standardized with ERC20

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Contracts are basically immutable once they are deployed, there is no traditional well-known security response mechanism in place to remedy vulnerable contracts.

6. How did exchanges react to this vulnerability?
At least one exchange suspended the withdrawal and trading of an affected token. Not enough to limit the effect of this bug on the cryptocurrency market.

Answers to the question:

1. PeckShield, a blockchain security organisation (including smart contract auditing) created their own tools for scanning and analyse Ethererum based ERC20 token transfers.

2. batchOverflow

3. Function batchTransfer

4. Code once deployed on the Ethereum blockchain can not be changed or paused easily.

5. No fast solution can be deployed to fix this exploit that exists in multiple different tokens.

6. Some exchanges suspended the withdrawal and trading of the token involved.

1. How was the bug discovered?

By an automated systemt hat scans contracts

2. What is this vulnerability called?

batchOverflow bug

3. Which function is vulnerable?

batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?

They were not using SafeMath so due to the bug in certain situations a balance was not debited/decremented by the correct amount - in this case 0

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

There is no systems in place to deal with issues like this as the contract is deployed and not changeable

6. How did exchanges react to this vulnerability?

Because the attackers not suddenly had huge numbers of stolen tokens then they were able to take advantage of certain pairs on exchanges and drive some token prices up/down significantly

1. How was the bug discovered?
some one sent alot of bec and it was a crazy amount
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer
4. Why was the vulnerability present in several ERC20 tokens?
this was a commonly used method to send batches of tokens
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
there is no well known security response mechanism
6. How did exchanges react to this vulnerability?
they suspended trade of the token

1.) Automated system discovered huge Token Transfer
2.) Batch Overflow
3.) batchTransfer function
4.) The ERC20 Token standard code was reused
5.) no one has the right to censor the execution of code on the Ethereum Blockchain. This limits counter measures.
6.) Suspend the withdrawal and trading of those Token.

Assignment: Hyperinflation Vulnerability

1. Suspicious transaction alerted the system.
2. batchOverflow
3. batchTransfer()
4. They also included batchOverflow vulnerability upon analysis.
5. There are no known security response mechanism in place to remedy these vulnerable contracts.
   6.Suspended trading of such token contain vulnerability.

1. How was the bug discovered?

With an unusual BEC token transaction that happened on April 22, 2018 at 03:28:52am UTC.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

Because the same code has been copied many times, therefore expanding the problem.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.

6. How did exchanges react to this vulnerability?

At least OKEx suspended the withdrawal and trading of BeautyChain (BEC). The article does not mentioned of any actions taken by other exchanges.

1. How was the bug discovered?
   Peckshield had a system in place to detect unusually large token transfers
2. What is this vulnerability called?
   batchOverflow
3. Which function is vulnerable?
   batchTransfer
4. Why was the vulnerability present in several ERC20 tokens?
   This same function had been used in the code of other ERC20 tokens
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   It says that the code should not be changed at all - i.e. that it should not be fixed
6. How did exchanges react to this vulnerability?
   OKEx suspended the withdrawal and trading of BEC, but some other exchanges had yet to act when the article was written

1. An address sent in a large amount of tokens****
2. batchOverflow****
3. batchTransfer()**
4. Because the code can be copied from bec without knowing the problem existing****
5. Because it is immutable and cant be changed once it is on the blockchain****
6. They stop the withdrawal and trading of BEC****

1.How was the bug discovered?
By raised alarm which is related to unusual BEC token transaction.

2.What is this vulnerability called?
batchOverflow Bug.

3.Which function is vulnerable?
batchTransfer()

4.Why was the vulnerability present in several ERC20 tokens?
The contracts has the same code structure.

5.Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional wel-known security response mechanism in place to remedy these vulnerable contrcts.

6.How did exchanges react to this vulnerability?
They suspended withdrawal and trading of BEC token.

1. An unusually large token transfer raised a red flag.
2. batchOverflow
3. batchTransfer()
4. code reuse - projects copying code from other projects or templates
5. there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts - also there is a mentality that blockchain is secure by default, but while the technology is new, overflow vulnerabilities are not.
6. OKEx suspended trading of the vulnerable tokens, but other exchanges did not. It was not a coordinated remediation. In more recent hack/exploited vulnerabilities, a pre-hack snapshot is taken and the tokens are hard forked into a new token with the intention of maintaining the pre-hack token value etc. ie. PAID network.

How was the bug discovered?
- Using an automated system to scan and analyze ERC-20 token transfer, then finding an unusually large amount of tokens being transferred in one transaction.

What is this vulnerability called?
- batchOverflow

Which function is vulnerable?
- batchTransfer()

Why was the vulnerability present in several ERC20 tokens?
- Likely because such ERC20 tokens used the very same pattern when implementing the function their contract.

Why is “code is law” mentality problematic when it comes to fixing bugs?
- Prevents anyone to mitigate or stop malicious exploits in the code or prevents anyone to improve the code to how it is intended to behave.

How did exchanges react to this vulnerability?
- Suspending the trading and withdrawal of the involve tokens