Hyperinflation Vulnerability - Reading Assignment

Ethereum Smart Contract Security Course
#121
  1. How was the bug discovered?
    By alarm raised by security team’s monitoring system
  2. What is this vulnerability called?batchOverflow3. Which function is vulnerable?
    essentially a classic integer overflow issue
  3. Why was the vulnerability present in several ERC20 tokens?
    ERC20 tokens commonly use boilerplate code
  4. Why is “code is law” mentality problematic when it comes to fixing bugs?
    smart contracts are immutable, they are not supposed to be changed, and fixing would require a change.
  5. How did exchanges react to this vulnerability?
    OkEx suspended withdrawal and deposit but other exchange not do that
1 Like
#122

Answers

  1. The bug was discovered thanks to an alert that was set to evidence any suspicious transactions that involved unreasonably large amount of tokens.

  2. The vulnerability was called batchOverflow and it represents a classic example of overflow integer’s issue.

  3. Function batchTransfer was vulnerable. By having 2 receivers with a very high value, it was possibile to overflow amount and made it zero. In this way the require didn’t trigger, balance[msg.sender] didn’t sub nothing and it could be possible to trigger the transfer function with the initial large value.

  4. Every dev that would be use the batchTransfer simply copy and paste it into their smart contract. Blockchain is opened to the entire world, it’s not necessary to rewrite something that has just been developed.

  5. It’s not possible to revert a transaction when it is made. You could only try to stop withdraws from all the exchange that accept this token that has been hacked. Nowadays we have insurance protocol that could be used in order to prevent this mentality “code is law”, providing a coverage towards these attacks.

  6. Exchanges could only suspend withdraws, or delisting the token.

1 Like
#123

How was the bug discovered?

  • the bug was discovered by a automated system made by PeckShield.

What is this vulnerability called?

  • batchOverflow.

Which function is vulnerable?

  • the function called “batchTransfer()”.

Why was the vulnerability present in several ERC20 tokens?

  • because many people reuse code that is already deployed.

Why is “code is law” mentality problematic when it comes to fixing bugs?

  • there is no well known response mechanism to correct those contracts with errors.

How did exchanges react to this vulnerability?

  • centeralized exchanges had to close trading on the tokens affected
1 Like
#124
  1. Peckshield has a system that scans token transfers and discover any suspicious looking ones.
  2. This vulnerability is called batchOverflow
  3. The function that was vulnerable in Peckshield’s example was called batchTransfer
  4. This piece of code is recycled and used in many projects at the same time
  5. “Code is law” means immutability and is the essence of crypto technology, but is an obstacle for security concerns because it makes adjustments almost impossible.
  6. Exchanges reacted to this vulnerability by suspending trade of the particular token.
1 Like
#125
  1. This bug was discovered by an independent security company that analyzed transactions on blockchain.
  2. The vulnerability is called ‘batchOverflow’.
  3. The vulnerable function is ‘batchTransfer’.
  4. The vulnerability was affecting other tokens as well because there are batchOverflow-affected tokens.
  5. ‘Code is law’, but if the code is broken then the law is broken as well. There was not an existing procedure for fixing these types of issues.
  6. Exchanges no longer allowed exchanging batchOverflow-affected tokens.
1 Like
#126

  1. How was the bug discovered?
    our system will automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur

  2. What is this vulnerability called?
    batchOverflow

  3. Which function is vulnerable?
    batchTrunsfer()

  4. Why was the vulnerability present in several ERC20 tokens?
    many people reuse code

  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    the code is immutable

  6. How did exchanges react to this vulnerability?
    OKEx made an announcement to suspend the withdrawal and trading

1 Like
#127

  1. The bug was discovered when a third-party blockchain security team inspected the code of a smart contract with an unusually large transfer amount

  2. batchOverflow

  3. batchTransfer

  4. Because ERC-20 is a standard and many tokens just copy the code from other thus spreading the vulnerable code

  5. Because bugs with these kinds of code(smart contract that handle money) have bigger implications than others

  6. They suspended withdrawal and trading of these coins

1 Like
#128
  1. How was the bug discovered?
  • a Third Party Security firm disovered a large transaction on the blockchain and then inspect the code of the Smart Contract
  1. What is this vulnerability called?
  • batchOverflow
  1. Which function is vulnerable?
  • batchTransfer
  1. Why was the vulnerability present in several ERC20 tokens?
  • ERC20 is a Standard of ETH and many tokens inherit of this ERC20 Standard
  1. Why is “code is law” mentality problematic when it comes to fixing bugs?
  • Code is immutable
  1. How did exchanges react to this vulnerability?
  • Exchanges made announcements to disable/suspend withdrawls and trading
1 Like
#129

  1. The bug was discovered by an automated system that scans and analyses ERC-20 tokens and "send[s] out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur.

  2. The vulnerability was named batchOverflow.

  3. The batchTransfer function was where the vulnerability in question lay.

  4. The vulnerability was present in several ERC-20 tokens, probably because the code was open source and thus re-used.

  5. The “code-is-law” mentality is problematic when it comes to fixing bugs because it means that entire code structures have to be abandoned. The whole point of the blockchain is for it to be immutable, but humans make mistakes so inevitably bugs will exist on the blockchain and have to be fixed somehow.

  6. OKEx managed to suspend trading of the bugged token pretty quickly, but the suspension efforts across the blockchain space were uncoordinated and thus the suspension was not as successful as it could have been.

1 Like
#130
  1. The team had an automated system that reported suspicious transactions. There was a transaction with a suspiciously large amount that raised an alert and the team investigated which led them to the bug.
  2. batchOverflow bug
  3. batchTransfer
  4. The vulnerability was present in several tokens because newly created tokens almost always borrow from other tokens since there are industry standards.
  5. It makes it seem like a violation of law to fix bugs. If code is law then changing the code (even for a good reason) makes it seem like the person fixing it is putting themselves in a position of unchecked power.
  6. OKEx halted trading of Beauty Token but it was still tradeable on other exchanges and other tokens with the same vulnerability were still being traded everywhere.
1 Like
#131
  1. This was discovered when an automated system detected an unusual transaction on BeautyChain.
  2. This vulnerability is called batchOverflow.
  3. batchTransfer()
  4. It is present in multiple ERC-20 tokens since values inputted to a calculation can exceed the total that can be stored in a uint256 variable. Also that other ERC-20 tokens used the same vulnerable code in their token.
  5. The code is immutable therefore it can’t be changed once deployed.
  6. Exchanges acted differently. Some removed the vulnerable token.
1 Like
#132

  1. By huge tx that were alarming

  2. batchOverflown

  3. betchTransfer

  4. Because of the standardised open source ERC20 token

  5. Because rewriting code in the bc is not suppose to happen

  6. Uncoordinatedly

1 Like
#133

1. How was the bug discovered?

The contract’s monitoring system sent an alert about an unusual high transaction.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

The batchTransfer function.

4. Why was the vulnerability present in several ERC20 tokens?

Because they reuse the same code (=> probably openzeppelin)

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

Code is law means: You coded it that way - so be it that way. A smart contract is not intended to be changeable, therefore once deployed it is supposed to never again change it’s code.

6. How did exchanges react to this vulnerability?

OKEX did suspend trading for the token. Other exchanges did not react fast enough.

1 Like
#134

1.- The bug was discovered by the PeckShield team scanning ERC20 bot finding rare-amount transactions.

2.- The vulnerability is called BatchOverflow.

3.- In some type of ERC20 contracts, with the batchTransfer Function.

4.- Probably several teams who derived their ERC20 contracts from a source that was not thoroughly checked.

5.- The idea is that deployed smartcontracts are immutable, and therefore, the vulnerabilities stay with it.

6.- Okex responded by suspending trade and withdrawal of the BEC token.

1 Like
#135

1. How was the bug discovered?
Through automated system designed to scan and analyze Ethereum-based (ERC-20) token transfers.

2. What is this vulnerability called?
batchOverflow

3. Which function is vulnerable?
batchTrasnfer

4. Why was the vulnerability present in several ERC20 tokens?
The vulnerable code was re-used by other contracts.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Once it’s deployed it’s immutable.

6. How did exchanges react to this vulnerability?
They suspended withdrawals and trading of affected coins.

1 Like
#136

1. How was the bug discovered?
2. What is this vulnerability called?
3. Which function is vulnerable?
4. Why was the vulnerability present in several ERC20 tokens?
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
6. How did exchanges react to this vulnerability?

1- PeckShield has an automated system which tracks Ethereum (ERC20-) token transfers. When this big transfer occured, it alarmed on their side.
2. - batchOverflow
3. - batchTransfer was the vulnerable function
4. - Other ERC20 tokens have the same vulnerable function code.
5. -There is no traditional well-known security response to remedy this issue.
6. -Other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow (BEC was suspended the trading).

2 Likes
#137

  1. The bug was discovered when PeckShield automated internal alarm system sounded indicating an unusually large transaction took place

  2. batchOverflow

  3. the batch transfer function

  4. The vulnerable code was reused by other token contracts

  5. Code is law mentality is problematic because an immutable bugged contract that exists in multiple smart contracts will and have been vulnerable to exploits

  6. Suspending withdrawals and trading of BEC, however the delisting was not coordinated which left the bug open for exploit on other exchanges

2 Likes
#138

1. How was the bug discovered?
By an automated alarming system
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer(…)
4. Why was the vulnerability present in several ERC20 tokens?
Because the code is copied from a template for ERC20 tokens
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Because the code is immutable and therefore a bug cannot be fixed
6. How did exchanges react to this vulnerability?
Some exchages suspended the trading with BEC, but others did not

1 Like
#139
  1. How was the bug discovered?
    By monitoring activity on the ethereum blockchain for extremely large ERC20 token transfers
  2. What is this vulnerability called?
    batchOverflow
  3. Which function is vulnerable?
    batchTransfer()
  4. Why was the vulnerability present in several ERC20 tokens?
    Because the overflow of an int is a common issue in solidity
  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    Because it does not allow to change and fix vulnerabilities found after the code is deployed.
  6. How did exchanges react to this vulnerability?
    They suspended withdrawal and trading of the BEC coin
1 Like
#140

How was the bug discovered?
There were two enormously large token transfers, with each transfer involving the same amount of tokens from the same
contract but to two different addresses.

What is this vulnerability called?
batchOverflow

Which function is vulnerable?
The transfer function

Why was the vulnerability present in several ERC20 tokens?
Tey had the same contracts

Why is “code is law” mentality problematic when it comes to fixing bugs?
The code is immutable

How did exchanges react to this vulnerability?
They stopped the hacked token trading

1 Like