Hyperinflation Vulnerability - Reading Assignment

1. By monitoring transactions and flagging outlyers with huge amounts of tokens moved
2. batchOverflow
3. batchTransfer
4. Because is usual that different teams/projects simply copy paste the code from other projects
5. Because there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts
6. One exchange suspended the withdrawal and trading of BeautyChain (BEC), a batchOverflow-affected token. However, other exchanges did not and at the time of vulnerability disclosure there were still other tradable tokens vulnerable to batchOverflow

Hi everyone, these are my answers:

How was the bug discovered?
PeckShield had a system that scanned suspicious transactions, i.e. with extremely large amounts.

What is the vulnerability called?
batchOverflow

Which function is vulnerable?
batchTransfer()

Why was the vulnerability present in several ERC20 tokens?
Many tokens re-use open-source code.

Why is “code is law” mentality problematic when it comes to fixing bugs?
The “code is law” principle says that nobody has censorship authority over code in the Ethereum network, which could be a problem when trying to block potentially vulnerable code.

How did exchanges react to this vulnerability?
It’s really hard for exchanges to be coordinated and stop trading activity on time.

1. How was the bug discovered?
By an automated system to scan unusually large transactions and give a warning in this event.
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer()
4. Why was the vulnerability present in several ERC20 tokens?
Open source code gets reused frequently
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
No traditional and well-known security measures or response mechanisms to such problems
6. How did exchanges react to this vulnerability?
There was no uniform reactrion. OKEx stopped all transactionss of BEC. But other tokens with this vulnerability are still open for transactions and therefore exploitation

1. How was the bug discovered?

By PeckShield’s automated Ethereum chain analysis system.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?

Because ERC20 is a standard and the code gets copied across many contracts. In those cases developers might not think through the implications and attack vectors of every line of code. There could also be a false sense of security because it is a “standard”.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

The code is law mentality is problematic because humans aren’t perfect, and computers are complex. Humans inevitably make mistakes or overlook things in their code. But when “code is law” is followed they cannot fix their bugs.

6. How did exchanges react to this vulnerability?

One exchange suspending withdrawals of the affected token. But it doesn’t sound like other took much action.

1. How was the bug discovered?

After a very large amount of BEC was transferred

2. What is this vulnerability called?

batchOverFlow

3. Which function is vulnerable?

batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

Lots of ERC20 smart contracts use the function

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

Smart contracts are designed so that the code cannot be changed after the contract has been deployed to the Blockchain

6. How did exchanges react to this vulnerability?

Some were quicker than others

j

Hi, here’s my answers:

1. How was the bug discovered?
hacker transfered a huge amount of BEC to two different accounts getting detected by an automated smart contract security scanning system.
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer
4. Why was the vulnerability present in several ERC20 tokens?
they used the similar batchTransfer function codes which didn’t consider the situation where the product of the numer of receivers and the value goes over 2^256 - 1, as type uint256, instead of being 2^256, the amount becomes 0, bypassing the requirement balance[msg.sender] >= amount (=0).
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
no well-known security response mechanism to fix these contracts.
6. How did exchanges react to this vulnerability?
OKEX suspended withdrawal and trading of BEC.
“Code is law” also makes DEX more challenging to prevent these muggers from laundering stolen tokens.

1. How was the bug discovered?
   Through an alarm about a suspiciously large token transfer.

2. What is this vulnerability called?
   A batchOverflow vulnerability.

3. Which function is vulnerable?
   batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
   Because the code did not consider a particular situation where a user would have a large amount of tokens, so certain parts of the code were bypassed, causing an exploit. The code was not fully-tested.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   Because there is no true source of justice when dealing with code vulnerabilities and hacks. Regulation has not caught us entirely with innovation.

6. How did exchanges react to this vulnerability?
   Centralized exchanges halted trading of some affected tokens, though not all of the exchanges. DEXs continue to use the affected tokens, as they are “offline”.

1. Through an automated system that was developed to scan ERC-20 tokens and send messages if there would be a suspicious activity.

2. BatchOverflow

3. The function batchTransfer

4. Because it was a new, unknown vulnerability that was just discovered.

5. Because you cannot change or try to fix the bug.

6. OKEx agreed to take out the beautychain contract to avoid any further problems.

How was the bug discovered?

The PeckShield company noticed the unusual BEC token transaction (amount equivalent of 63 o’s.

What is this vulnerability called?

The PeckShield company firstly name it batchOverflow. They point out that batch overflow is essentially like a classic integer overflow issue.

Which function is vulnerable?

batchTransfer() function was vulnerable.

Why was the vulnerability present in several ERC20 tokens?

reusing of other smart contracts code, probable same batchTransfer() function usage. It was the new unknown vulnerability.

Why is “code is law” mentality problematic when it comes to fixing bugs?

there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts! You can not change the existed contract.

How did exchanges react to this vulnerability?

they suspended withdrawal and trading for suspicious contracts.

1. There’s a transaction with an extremely large amount of BEC token
2. Vulnerability batchOverflow
3. batchTransfer(_receivers, _value)
4. Because there was a multiplication operation that doesn’t use safe maths, that forced a big amount in which after it got multiplied, it went overflowed and resulted to a number slightly bigger than 0
5. Because there’s no well-known security response mechanism in place to remedy the vulnerable contracts
6. They suspended the withdrawal and trading BEC

1. An automated system to scan and analyze Ethereum-based (ERC-20) token transfers
2. batchOverflow
3. batchTransfer
4. used the ERC20 contracts standard code
5. there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts
6. they needed to suspend the affected tokens

1. How was the bug discovered?
   An independent security firm was alerted to an unusually large Tx by their own monitoring software.

2. What is this vulnerability called?
   batchOverflow

3. Which function is vulnerable?
   batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
   There is a standard for ERC20 tokens, meaning most token contracts use the same or very similar code.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   There is no simple, well-known mechanism to fix a vulnerability like this in ERC20 contracts. This is because the code isn’t intended to be changed.

6. How did exchanges react to this vulnerability?
   Some exchanges stopped trading impacted tokens, others were very slow to react

1. An alarm in the transfer security when two addresses received huge amounts of token

2. batchOverflow - by overflowing the batch limit, it was reset to zero rendering the require checks useless in stopping the attack.

3. batchTransfer function is where the exploit exsisted.

4. since the code is part of the erc20 protocol, other cryptocurrencies using this standard most likely had the same type of transfer function, thus leaving many contracts vulnerable.

5. because there is no traditional security best practices to respond to these vulnerabilities

6. okex stopped thier trading but other contracts were not coordinated enough to do so

1. It was discovered with unusual token transaction - unreasonably large amounts of token were transferred.
2. It is called batchOverflow .
3. batchTransfer() is vulnerable.
4. Because all vulnerable tokens used the same copy-pasted ERC20 code.
5. Because there is no traditional security response mechanism to remedy vulnerable contracts.
6. OKEx suspended trading and withdrawals of affected token.

1. How was the bug discovered?
Extremely large number of tokens transferred
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer()
4. Why was the vulnerability present in several ERC20 tokens?
Other contracts used batchTransfer()
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
If there is broken code, there is no great way to coordinate around risk mitigation since most smart contract code cannot be changed
6. How did exchanges react to this vulnerability?
Some centralized exchanges suspended trading

1. How was the bug discovered?
It was raised by the transaction monitoring system.
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer
4. Why was the vulnerability present in several ERC20 tokens?
Almost ERC20 tokens has similar code templates which contains integer overflow issues.
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Blockchain is designed as immutable, once the vulnerable contract is deployed, we can only abandon it if possible and deploy new one.
I guess upgradeable contract is not the scope of this issue.
6. How did exchanges react to this vulnerability?
OKEx stopped the trading BEC token and other exchanges were reacted some later.

1. How was the bug discovered?
   They set up their system to alert them of any suspicious transactions.

2. What is this vulnerability called?
   batchOverflow.

3. Which function is vulnerable?
   batchTransfer() function is the vulnerable function.

4. Why was the vulnerability present in several ERC20 tokens?
   There were multiple contracts that had the same code.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   “there is no traditional well-known security response mechanism in place to remedy the vulnerable contracts.”

6. How did exchanges react to this vulnerability?
   OKEx suspended their trading of BEC, but other exchanges didn’t react as quickly exposing a need for exchanges to notify each other if they have the same standard of code.

1. How was the bug discovered?

The bug was discovered by blockchain security firm PeckShield. Their system raised an alarm that is related to an unusual BEC token transaction. In this particular transaction, someone transferred an extremely large amount of BEC tokens.

2. What is this vulnerability called?

It’s called “batchOverflow”.

3. Which function is vulnerable?

The function that is vulnerable is the batchTransfer function. This function is used to transfer multiple ERC20 tokens at once.

The bug is that the batchTransfer function does not check for integer overflows. This causes an attacker can send a very large number of tokens without costing a dime in the attacker’s pocket.

4. Why was the vulnerability present in several ERC20 tokens?

The reason that this vulnerability was present in several ERC20 tokens is that they all used the same contract template. This template did not check for integer overflows, which led to the creation of the batchOverflow bug.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

The “code is law” mentality is problematic when it comes to fixing bugs because it means that the code cannot be changed without the consent of all the parties involved. This can make it very difficult to fix vulnerabilities, even if they are critical.

6. How did exchanges react to this vulnerability?

OKEx made an announcement to suspend the withdrawal and trading of BeautyChain (BEC), a batchOverflow-affected token. However, other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow.

1. How was the bug discovered?
As a result of an automated system which scans and analyzes ERC-20 token transfers. It automatically send out alerts if any suspicious transactions occur.

2. What is this vulnerability called?
Batch Overflow / An Integer Overflow issue.

3. Which function is vulnerable?
The batchTransfer() function.

4. Why was the vulnerability present in several ERC20 tokens?
More than a dozen other contracts had the same vulnerability because many projects replicate other contracts and functionality.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.

6. How did exchanges react to this vulnerability?
By suspending the trading and withdraw functionality of the BEC token. There are still other exchanges unaware of the vulnerabilities of contracts.