- They have built a system for analyzing and alerting about suspicious large token transactions. That’s how they identified a unusual BEC token transaction.
- The vulnerability is called batchOverflow.
- batchTransfer
- It’s an ERC-20 tokens exploit problem. With the “code-is-law” principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.
- This notion posits that the code governing interactions within decentralized systems is the ultimate authority, superseding any other legal or ethical considerations. This mindset can lead to situations where bad actors exploit loopholes and vulnerabilities in smart contracts, leading to unintended consequences and negative outcomes for users.
- They de-listed the affected tokens, and other all type of ERC-20 tokens deposits, till the exploit was solved.
How was the bug discovered?
Via PeckShield’s automated system for scanning and analyzing (suspicious) ERC20 token transfers.
What is this vulnerability called?
batchOverflow
Which function is vulnerable?
batchTransfer()
Why was the vulnerability present in several ERC20 tokens?
Because of smart contract code (including for ERC20 tokens) often being copied and re-used from one contract to another.
Why is “code is law” mentality problematic when it comes to fixing bugs?
Because it creates resistance to: 1) widely establishing robust code update mechanisms and contract security protocols; and 2) to having smart contract bugs proactively remedied as opposed to exploiting them for (illicit by any reasonable standard/context) selfish gain, irrespective of the ensuing community harm.
How did exchanges react to this vulnerability?
OKEx made an announcement to suspend the withdrawal and trading of BeautyChain (BEC), a batchOverflow-affected token.