Hyperinflation Vulnerability - Reading Assignment

1. The vulnerability was discovered by Peckshield who developed an automated system to scan and analyze Ethereum-based (ERC-20) token transfers. This system raised an alarm related to excessively large BEC token transfers in 2018.
2. The vulnerability is called “batchOverflow bug”.
3. batchTransfer
4. This code was considered part of the ERC20 standard and was copied and reused without the normal scrutiny that perhaps would have otherwise applied.
5. “code-is-law” places the emphasis on what exists, rather than what should exist. This makes changes necessarily difficult when bug management is considered.
6. Exchanges reacted disparately but the suspension of trading and withdrawal was one approach taken.

1. How was the bug discovered?
   An alert sent by a system which monitors suspicious transactions.

2. What is this vulnerability called?
   batchOverflow

3. Which function is vulnerable?
   batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
   They are sharing the same vulnerable library.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   Because it is difficult to change a deployed smart contract.

6. How did exchanges react to this vulnerability?
   They suspended the withdrawal and trading of the affected tokens.

1. How was the bug discovered?
By an alarm that was trigger by a huge transaction
2. What is this vulnerability called?
batchOverflow
3. Which function is vulnerable?
batchTransfer
4. Why was the vulnerability present in several ERC20 tokens?
At this moment tokens follow an standard I suppose at this time this bug was not discovered.
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
By the immutability of the blockchain
6. How did exchanges react to this vulnerability?
some suspended transactions on the tokens others don’t.

• The bug was discovered by an alarm which was raised by an unusual token transaction.

• The vulnerability is called a batchOverflow.

• The function batchTransfer() is the vulnerable function.

• The vulnerability was present in several ERC20 tokens as the open source contract code is usually copied.

• “Code-is-law” can be problematic to fixing bugs as there is no security response mechanism in place. There is no way to go back and fix the bugs.

• Exchanges reacted by suspending withdrawals and trading of the tokens affected by the vulnerability

1. How was the bug discovered? A large amount of tokens (funds) were transferred on a smart contract.

2. What is this vulnerability called? It’s called batchOverFlow.

3. Which function is vulnerable? The function batchTransfer() is vulnerable.

4. Why was the vulnerability present in several ERC20 tokens? Because ERC20 tokens are created on an existing template and, thus, would inherit that vulnerability.

5. Why is “code is law” mentality problematic when it comes to fixing bugs? A ‘code of law’ mindset assumes that a code must be left ‘as is’ and without any future changes or modifications. Therefore, any bug(s) would be allowed to continue wrecking havoc on the smart contract.

6. How did exchanges react to this vulnerability? Centralized exchanges paused the transfer of the identified token. Unfortunately, decentralized exchanges couldn’t respond as effectively.

1. How was the bug discovered?
2. What is this vulnerability called?
3. Which function is vulnerable?
4. Why was the vulnerability present in several ERC20 tokens?
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
6. How did exchanges react to this vulnerability?

1. by scanning for suspicious transactions and automatically sending out alerts
2. batchOverflow
3. batchTransfer
4. copy and paste of code
5. it doesn’t allow fixing bugs
6. some suspended trading and withdrawal of these tokens

1. The bug was discovered when a system designed to listen for outrageously large transactions raised the alarm.
2. This vulnerability is called batchOverflow.
3. batchTransfer was the vulnerable function.
4. The vulnerability was present in several ERC20 tokens because they all follow the same standards so code is often reused or based off other older contracts that have worked in the past.
5. The code is law mentality can be problematic when it comes to fixing bugs because there is no traditional well-known security response within Ethereum that can be used to fix vulnerable smart contracts. The problem is also made worse by the fact that there is no centralized authority capable of stopping these tokens from being laundered .
6. The exchanges reacted to this vulnerability by halting trading and withdrawal at OKEx but not all exchanges followed suit.

1. How was the bug discovered?
   Someone transfered an unusualy huge amount of BEC token.

2. What is this vulnerability called?
   batchOverflow

3. Which function is vulnerable?
   batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
   Because they are just copied from each other.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   Because there is no traditional well-known security response mechanism to fix these vulnerable contracts.

6. How did exchanges react to this vulnerability?
   OKEx suspended the withdrawal and trading of BEC, however due to its decentralization it is hard to control all vulnerable contracts, so some of those still exists.

1. How was the bug discovered?
Through an unusually large BeautyChain (BEC) transaction which revealed the vulnerability.

2. What is this vulnerability called?
batchOverflow.

3. Which function is vulnerable?
The batchTransfer function.

4. Why was the vulnerability present in several ERC20 tokens?
The batchTransfer function doesn’t check for overflow errors, allowing a user to transfer an amount to multiple addresses that will overflow once the multiplication is complete, and the overflowed amount will pass the sanity checks run on the senders’ balance. This allows more coins to be minted at will, even surpassing the supply cap imposed on the coins’ contract.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Because it leaves no ability to prevent malicious attacks once a vulnerability is found, which in turn can have ripple effects on the prices of other assets when the hackers dump their coins on the market. It also renders a cryptocurrency utterly worthless once a vulnerability has been found, and rather than fixing the bug the project will die.

6. How did exchanges react to this vulnerability?
By suspending the trading of batchOverflow-affected tokens.

1. How was the bug discovered?
   The batchOverflow inflation bug on BeautyChain was discovered by PeckShield when their blockchain scanning bot discovered a 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000 BEC token transaction - an amount far higher than the max supply.

2. What is this vulnerability called?
   The vulnerability is called the batchOverflow bug.

3. Which function is vulnerable?
   The batchTransfer function was vulnerable, which was an integer overflow issue. By having two _receivers passed into the function with a huge _value input, the hackers were able to zero out to amount passed to the batchTransfer function.
   This meant they could pass the 2 require audits and process the transaction and transfer the 2 addresses, massive amounts of BEC token.

4. Why was the vulnerability present in several ERC20 tokens?
   Due to the open source and duplicatable nature of protocols in the cryptocurrency space, many tokens share a significant amount of their code base with other projects. As the projects abide to the ERC20 standard, a bug in one contract means that it’s likely many other contracts share the same bug.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
   The code is law mentality is healthy from an optics standpoint of pushing a narrative of decentralisation in an ecosystem. Immutable code is a massive part of what sets blockchain projects apart from traditional centralised counterparts. And when people sign and/or contribute to a contract, they agree to its contents.
   Therefore, when a developer or significant figure in the project can single-handedly control the future of and decide how problems pan out, it can undermine the fundamental premise of a ‘decentralised’ ecosystem, to a degree.
   While these narrative issues exist in decentralised projects, bugs are almost inevitable in code. Bugs will surface, and because contracts store value - participants will lose money. Often millions; sometimes billions. And the debate surrounding the code is law principal is whether the team holds consistent with it’s long-term immutability narrative, or alternatively update the code or roll back the chain.
   The dilemma is which of these 2 options is more valuable?
   With a ‘code is law’ mentality, attackers will remain enriched by exploiting contracts, at the expense of everyone else involved.
   It’s a tricky debate with very little recourse.
   If a development team can identify a bug before it is exploited, a way around creating problems can be through duplicating the system state and re-deploying a patched version and urging stakeholders to make the new version the consensus network. The idea is to effectively syphon the value from the previous network to the new patched network.

6. How did exchanges react to this vulnerability?
   OKEx suspended withdrawals and trades with the BEC token on their exchange. Some other exchanges continued temporarily with trading and withdrawals of the BEC token, so by trading with other cryptocurrencies, there were still ways to soak up value through swapping the much less valuable BEC token with other more valuable coins.

1. How was the bug discovered?
An automated system of PeckShield alerted their team about the transactions involving unreasonably large tokens.

2. What is this vulnerability called?
BatchOverflow

3. Which function is vulnerable?
batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
Complying with the standard of code reusability, this function was also a part of several other ERC20 tokens. This is how this bug made its way through other tokens.

5. Why is the “code is law” mentality problematic when it comes to fixing bugs?
“Code is law” mentality suffices the principle of immutability. Thus preventing developers in the earlier days from fixing any vulnerability once the contract is deployed on the chain.

6. How did exchanges react to this vulnerability?
Some of the exchanges like OKEx suspended the withdrawal and trading of batch overflow affected tokens.

1. How was the bug discovered?
Through an automated system that scans and analyses the Ethereum transfers.

2. What is this vulnerability called?
batchOverflow

3. Which function is vulnerable?
batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
Because everyone reused the ERC20 code from the project that made the bug in code in the first place.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Once the contract is deployed it is immutable. The code can be change only by writing a new contract.

6. How did exchanges react to this vulnerability?
They suspend the withdrawal and trading of BeautyChain.

1. How was the bug discovered?
By an automated system that scans ERC-20 transfers, to look for anomalies.

2. What is this vulnerability called?
An overflow, in this case it was called batchOverflow

3. Which function is vulnerable?
batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
Because most ERC20 tokens share and reuse the same code.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
A contract that is deployed on the blockchain I immutable and can’t be changed, so what’s written in the code is “the law”.

6. How did exchanges react to this vulnerability?
OKEx announced a suspension in trading this token, but other exchanges did not react.

1. How was the bug discovered?
Someone transferred an extremely large amount of BEC token.

2. What is this vulnerability called?
batchOverflow and it is essentially a classic integer overflow issue.

3. Which function is vulnerable?
The vulnerable function is located in batchTransfer , where the use two parameters, one of them being an arbitrary 256 bits integer. By having two receivers passed into batchTransfer() , with an extremely large _value it is possible to overflow the transferred amount and make it zero.

4. Why was the vulnerability present in several ERC20 tokens?
Because a lot of contracts/tokens inherit from ERC20.

5. Why is the “code is law” mentality problematic when it comes to fixing bugs?
The code-is-law principle is present in the Ethereum blockchain, and there is no traditional well-known security response mechanism to remedy vulnerable contracts! Also, the imminent immutable essence of smart contracts makes bug solutions hard, being prevention its biggest weapon.

6. How did exchanges react to this vulnerability?
OKEx made an announcement to suspend the withdrawal and trading of BeautyChain. But it was shown difficult to contain the effects of such bugs.

1. How was the bug discovered?
The bug was discovered when someone noticed that there was an unusual amount of tokens being sent to the BEC token contract.

2. What is this vulnerability called?
batchOverflow

3. Which function is vulnerable?
batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
Because a lot of tokens inherited from the same contract standard/'flavour of this specific erc-20 contract

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security response mechanism to remedy these vulnerable contracts

6. How did exchanges react to this vulnerability?
The exchanges suspended trading of these tokens

1. How was the bug discovered?
It was discovered thanks to a system sends out alerts if any suspicious transactions (involving unreasonably large tokens)

2. What is this vulnerability called?
batchOverflow

3. Which function is vulnerable?
batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
Because they were copied from the same standard

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Because there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.

6. How did exchanges react to this vulnerability?
OKEx announced suspending withdrawal and trading BEC, other exchanges didn’t.

Hyperinflation Vulnerability - Reading Assignment

1. Due to Peck Sheilds’s previous efforts analyzing EOS tokens the team had already developed an automated system that would look out for suspicious transactions and put out an alert when one occured. On 4/22/18 two transactions sent a large amount of BEC tokens (which amounted to a unit followed by 63 ciphers) to two different addresses. This anomaly prompted Peck Sheild to investigate the smart contract.

2. The name for this vulnerability is batchOverflow

3. batchTransfer() is the vulnerable function.

4. Because ERC20 is just a standard, many developers were simply copying and pasting this flavor of ERC20 to build their coin which contained the batchOverflow vulnerability.

5. Because it prevents the foundation of traditional well-known security response mechanisms from being developed and implemented to remedy vulnerable contracts.

6. One exchange in particular OKEx suspended trading and withdrawal of coins with batchOverflow vulnerabilities but it was not a coordinated effort with other exchanges.

1. An alarm was raised by the team’s transaction monitoring system. There was an adnormal amount of BEC tokens.

2. batchOverflow

3. batchtransfer()

4. Because other ERC20 tokens reused the same code.

5. Contracts are immutable once deplyed. There is no well known traditional security response mechanisms in place to remedy contracts with vulnerability issues.

6. OkEx made an announcement on the suspension of trading and withdrawing of BEC token.

Answers:

1. The bug was discovered when an alarm was raised by a system created to scan and analyze Ethereum-based token transfers.

2. The vulnerability is called batchOverflow.

3. The vulnerable function is batchTransfer().

4. The vulnerability was present in several ERC20 tokens because usually the code is being used as a standard and is being used by many.

5. The “code is law” mentality is problematic when fixing bugs because, there are no traditionally well-known security response mechanism in place in Ethereum blockchain to remedy vulnerable contracts.

6. OKEx suspended the trading activity of the BeautyChain. Other exchanges should follow if they have the same vulnerability.

QUESTIONS

1. How was the bug discovered?
2. What is this vulnerability called?
3. Which function is vulnerable?
4. Why was the vulnerability present in several ERC20 tokens?
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
6. How did exchanges react to this vulnerability?

ANSWERS

1. By the company PeckShield Inc., a blockchain security company, who developed an automated system to scan and analyze Ethereum-based (ERC-20) token transfers. Their system detected the oversized transfer amounts on the ethereum blockchain and flagged it to them.

2. batchOverflow vulnerability

3. The “batchTransfer”-function and more specifically the calculation of the “amount”-variable which is composed of the multiplication of “cnt” (number of _receivers) x the transfer _value, a uint 256 variable which will overflow with a large enough number and force the result of this multiplication to revert to zero in the process allowing the execution of the function to pass the 2 require statements untouched. The _value used in the balance adjustment of _receivers and in the Transfer-function are being operated with the same large _value number therewith providing to the _receivers a huge amount of tokens.

4. Yes because many projects copy existing code from other tokens readily available on the ethereum blockchain without checking potential security issues prior to deployment.

5. It’s a problem because of the immutability of smart contracts once deployed to the blockchain as there is no mechanism in place to address bugs other than to redeploy with a version after removing the bug or destroying the contract altogether (if setup to be destroyed in the first place). Both remedies will be problematic for a running project as interruption or elimination is not an option, although might be the only way to avoid continued harm.
   (maybe pausing or an intelligent proxy upgradeability structure might enable the potential to address unknown bugs at deployment ?)

6. If they are (made) aware they can suspend trading/withdrawal.