Hyperinflation Vulnerability - Reading Assignment

1. PeckShield’s system detected a large BEC transaction.
2. batchOverflow
3. batchTransfer
4. Because they copy implementations from unknown smart contracts without realising the risks that come with it.
5. Because of blockchain immutability. Once you deploy a contract, there’s no way you can change the implementation, unless if it’s an upgradeable contract.
6. They suspended trading of BEC.

1. The bug was discovered because PeckShield developed an automated system used to detect suspicious transactions of ERC-20 tokens. An alarm was raised after 2 transfers of 8 (followed by 63 0’s) BEC tokens was made to two different addresses.

2. This vulnerability is called batchOverflow.

3. The batchTransfer function was the culprit.

4. Because ERC20 contracts use the same outline. None of them checked for overflows.

5. It is difficult to fix bugs in contracts after they have been deployed, and there is no standard procedure for teams to follow after a bug has been found. This can lead to indecision.

6. Some exchanges such as OKEx halted trading and withdrawals of BEC token. Other exchanges initially did nothing, but have probably since halted trades of the BEC token. Also, some of the other tokens that are vulnerable are still trading on exchanges (as of when this article was written).

1. It was discovered by the security teams alarm system.
2. Overflow
3. transferBatch
4. because they also had this fuction implemented
5. All the trnasctions in the blockchain are final so there is no way you can remove or modify a deployed smart contract. Thats the reason why security is so important
6. Some of them resacted too late.

By an alarm related to to an unusual BEC token transaction.

batchOverflow .

batchTransfer().

Because lot of ERC20 tokens are created reusing the same code, so vulnerabilities too.

Because once a contract is deployed in blockchain, you are not allowed to edit it.

Suspention of withdrawals and trading of BeautyChain ( BEC ) but not all of them.

1. How was the bug discovered?

System raised alarm regarding unusual BEC token tx. In this tx, someone transferred an extremely large about of BEC token.

2. What is this vulnerability called?

BatchOverFlow

3. Which function is vulnerable?

batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

Because of the “code-is-law” principle

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

There’s no traditional well-know response mechanism in place to remedy these vulnerability.

6. How did exchanges react to this vulnerability?

OKEx suspend the withdrawal and trading of BEC.

Non-centralised exchanges can’t stop attackers from laundering their tokens.

1. The bug was discovered why monitoring suspicious large transactions of ERC-20 tokens.
2. The vulnerability is called batchOverflow bug
3. The function that is vulnerable is named batchTransfer()
4. The vulnerability was present in several ERC20 tokens because many were reusing the same code and therefore replicating the vulnerability.
5. The “code is law” mentality is problematic when it comes to fixes because essentially poorly thought through and written contracts can potentially be vulnerable forever.
6. Many exchanges responded to this vulnerability by suspending trading and withdrawal of vulnerable tokens.

1.the bug was discovered by a large transaction - very large- by the system.
2 batchoverflow

3. batchtransfer()
   4.because the erc20 tokens used the same code
   5.because there isnt a security team to discuss the problems to.
   6.they halted trading from those coins

1. Transfer of huge amount of tokens.
2. batchOverflow
3. batchTransfer
4. They were copied from a standard
5. You can’t edit the existing contract. A new one needs to be created and deployed.
6. Uncoordinated

1. Lots of BEC tokens was transferred, which was startling.
2. batchOverflow
3. batchTransfer
4. The same functions get reused, so the vulnerability that was in the first function gets passed on to the second function.
5. Smart contracts are not supposed to be changed, and fixing would need a change.
6. OKEx responded with suspension of trading, but other exchanges were slow

1. by external automated monitoring of ERC-20 tokens - smart contracts, searching for weird behavior and unusual transactions (BEC contract in this case)
   2 Batch Overflow
   3 batchTransfer()
   4 because of reusing a same code in different projcets on different ERC-20 tokens
   5 ERC-20 code is ment to be immutable, but when it comes to the bugs found in code, it complicates fixing those bugs
   6 mainly too slow, some did suspend token, but in general they were not acting synchronized

1. How was the bug discovered?
   A Suspicious BEC Token Transfer (with huge amount)

2. What is this vulnerability called?
   batchOverflow

3. Which function is vulnerable?
   The batchOverflow function.

4. Why was the vulnerability present in several ERC20 tokens?
   Because they all used the same open-source smart contract code without checking for bugs.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   Because there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.

6. How did exchanges react to this vulnerability?
   By making an announcement to suspend the withdrawal and trading of BeautyChain ( BEC ), a batchOverflow-affected token. However, other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow!

1. By a system alert of suspicious activity.
2. bactchOverflow
3. batchTransfer
4. They relied an ERC20 Token as standard and reliable but did not research if there were any vulnerability on it.
5. The blockchain is immutable.
6. OKEx suspended trading but other exchanges were to slow.

1. An alarm alerted the monitoring system.
2. batchOverflow
3. batchTranfer
   4.they use the same standards mostly
4. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
5. Uncoordinatedly.

How was the bug discovered?

With an alarm notification that security company has got whom presented the article

What is this vulnerability called?

BatchOverflow which is integer overflow issue

Which function is vulnerable?

batchTransfer()

Why was the vulnerability present in several ERC20 tokens?

Critical calculation inside the function was not covered by an overflow-free implementation which is vulnerable especially big amounts transacted.

Why is “code is law” mentality problematic when it comes to fixing bugs?

Requires the software architects more responsible to make their own insurance configuration instead of traditional, automatically works security triggers supplied by the network globally which limits the network and contracts that fall in the contrary to the concept of decentralization.

How did exchanges react to this vulnerability?

Suspended withdrawals and trading for the currency of the smart contract.

1. How was the bug discovered?
   The bug was discovered when Peckshield Security’s automated scanning and analysis system identified and raised an alarm about two transfers of the same amount of an extremely large number of BEC token from the same BeautyChain contract but to two separate addresses.

2. What is this vulnerability called?
   This vulnerability was called batchOverflow.

3. Which function is vulnerable?
   The batchTransfer function is the vulnerable function.

4. Why was the vulnerability present in several ERC20 tokens?
   The vulnerability was present in several ERC tokens because ERC20 tokens were derived from the same code.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   Because “code is law” declares that smart contracts are unstoppable and leaves no room for vulnerability, there is no appropriate security response in place to adopt when fixing bugs. As a result, the “code is law” mentality is problematic

6. How did exchanges react to this vulnerability?
   Only one exchange, OKEx suspended the withdrawal and trading of the batchOverflow-affected token as other exchanges were not coordinated.

OKEx made an announcement to suspend the withdrawal and trading of BeautyChain ( BEC )

1. How was the bug discovered?

PeckShield’s had developed a system to scan and analyze ERC-20 token transfers and to detect suspicious transactions (e.g., involving unreasonably large amounts of tokens being transferred). On 4/22/2018, that system raised an alarm related to an unusual BEC token transaction in which someone transferred an extremely large amount of BEC tokens. PeckShield’s team looked at the related smart contract and their study showed that such a transfer had come from an “in-the-wild” attack that exploited a previously unknown vulnerability in the contract.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?

Because the code from BEC was reused, since doing that is a common practice when launching ERC-20 tokens.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

In the context of smart contract development, the “code is law” mentality can be problematic when it comes to fixing bugs. Smart contracts are typically designed to be immutable by default, which means that once deployed, they cannot be changed. While this can ensure the integrity and consistency of the system, it can also make it difficult to fix bugs or address issues. Developers need to carefully consider potential bugs and issues during the design and development phase, as well as explore alternative approaches and solutions. Once a smart contract is deployed, it may not be possible to make significant changes, so careful planning and consideration are crucial.

6. How did exchanges react to this vulnerability?

At the time, OKEx, for instance, made an announcement to suspend the withdrawal and trading of BeautyChain (BEC), however, there was yet the need for other exchanges to also be coordinated and there still existed other tradable tokens vulnerable to batchOverflow! The presence of decentralized exchanges with offline trading services was also a concern since they could pose additional challenges as they wouldn’t be able to even stop attackers from laundering their tokens.

1. By analysing any suspicious transaction like a particularly unreasonable large token transfers
2. batchOverflow
3. Other ERC20 token/smart contract were built on the same vulnerable contract
4. “code is law” means that the code of a Smart Contract is the ultimate arbiter of the outcome of an on-chain interaction, as once deployed on the blockchain (which is immutable) it cannot be “modified”.
5. Centralized exchanges suspended the trading, but this was not straightforward for Decentralized Exchanges with offline trading services

1. How was the bug discovered?

An alert generated from a blockchain security companies automated system developed to scan and analyze ethereum based (ERC-20) token transfers.
Suspicious BEC Token Transfer (with huge amount). This anomaly prompted us the need to look into the related smart contract code.

2. What is this vulnerability called?

Batch overflow which is essentially a classic integer overflow issue.

3. Which function is vulnerable?

batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?

Reused code-The presence of non-centralized exchanges with offline trading services might pose additional challenges as they cannot even stop attackers from laundering.

5. Why is the “code in law” mentality problematic when it comes to fixing bugs?

There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts. With potential values associated with these tokens, even a third-party independent security team, unfortunately are not in the position to react by suspending the trading of vulnerable tokens in various exchanges.

6. How exchanges react to this vulnerability?

OKEx made an announcement to suspend the withdrawal and trading of BeautyChain (BEC), a batchOverflow-affected token.

1. Suspiciously large transactions of a token were see on the blockchain
2. batchOverflow
3. batchTransfer()
4. These contracts all inherited or copied the same code from one source
5. When there is a flaw in the code there is no way to fix it if holding to “code is law”
6. At least one stopped trading the compromised token