Hyperinflation Vulnerability - Reading Assignment

Answer the questions below:

1. How was the bug discovered?
2. What is this vulnerability called?
3. Which function is vulnerable?
4. Why was the vulnerability present in several ERC20 tokens?
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
6. How did exchanges react to this vulnerability?

1. How was the bug discovered?

By an alarm raised by security team’s transaction monitoring system.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

I guess, the reason is "ERC20 token is a standard, so it felt safe to take someone’s else implementation (for example from OpenZeppelin or another similar source, or some ERC20 contract published by another well known and respected company) and apply it to your token.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

The blockchain is immutable by design. So if the contract contains bugs, the only way is to create a new one and abandon the existing one (and abandon all the ether it holds, I guess).
Note: The upgradeable proxy contracts are out of scope for this lecture, I guess.

6. How did exchanges react to this vulnerability?

The price of the cryptocurrency (or fiat currency) might peak since the demand goes up as the owner of exploited tokens starts to sell them in order to make a profit.

1 Like
  1. A huge amount of BEC tokens was transferred, raisin an alarm.
  2. batchOverflow
  3. batchTransfer
  4. Probably the same functions get reused, so the vulnerabilities are also copied there.
  5. smart contracts are immutable, they are not supposed to be changed, and fixing would require a change.
  6. OKEx responded with suspension of trading, but other exchanges were too slow to react.
  1. An alert generated from a blockchain security company’s “automated system [developed] to scan and analyze Ethereum-based (ERC-20) token transfers.”
  2. “batchOverflow is essentially a classic integer overflow issue”
  3. batchTransfer()
  4. ERC20 tokens commonly use boilerplate code
  5. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
  6. Uncoordinatedly.
1 Like
  1. An alert generated from a blockchain security company’s “automated system [developed] to scan and analyze Ethereum-based (ERC-20) token transfers.”
  2. “batchOverflow is essentially a classic integer overflow issue”
  3. batchTransfer()
  4. ERC20 tokens commonly use boilerplate code
  5. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
  6. Uncoordinatedly.
  1. How was the bug discovered?
    The bug was discovered by the system raised an alarm which is related to an unusual BEC token transaction.
  2. What is this vulnerability called?
    batchOverflow Bug in Multiple ERC20 Smart Contracts
  3. Which function is vulnerable?
    batchTransfer()
  4. Why was the vulnerability present in several ERC20 tokens?
    Because it is a common function in ERC20 token contract.
  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!
  6. How did exchanges react to this vulnerability?
    Uncoordinatedly.
1 Like
  1. By an external company monitoring for unusual transactions on the BEC contract
  2. Batch Overflow
  3. batchtransfer()
  4. because the code was part of the standard ERC20 contract
  5. once deployed , a contract is in-effect immutable. meaning it becomes ‘law’
  6. some were quicker about suspending the token, others were too slow to react.

How was the bug discovered?
By using an automated systems that scanned for abnormal ERC20 based transfers

What is this vulnerability called?
batchOverflow

Which function is vulnerable?
The batchTransfer function

Why was the vulnerability present in several ERC20 tokens?
The article does not mention it but per Ivan this is due to code re-use without taking time to understand everything the copied code does.

Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts

How did exchanges react to this vulnerability?
OKEx suspended trading responses from other exchanges is unknown.

  1. The blockchain security company, PeckShield Inc, has built a system that automatically scans Ethereum transactions and sends alerts when suspicious transactions occur. Evidently, this was built on top of previous efforts to analyze EOS tokens.

  2. It’s called batchOverflow.

  3. In the given example of BeautyChain, it’s the batchTranser function. If multiple recievers pass in an extremely large _value they can overflow the amount variable. This allows them to pass the requirements set in lines 258 and 259, through unintentional means, thereby negating the subtraction in line 261 because amount = 0. Then their balances are added by the large inputted _value through the loop in lines 262-265.

255 function batchTransfer(address[] _receivers, uint256 _value) public whenNotPaused returns (bool) {
256  uint cnt = _receivers.length;
257  uint256 amount = uint256(cnt) * _value;
258  require(cnt > 0 && cnt <= 20);
259  require(_value > 0 && balances[msg.sender] >= amount);
260
261  balances[msg.sender] = balances[msg.sender].sub(amount);
262  for (uint i = 0; i < cnt; i++) {
263       balances[_receivers[i]] = balances[_receivers[i]].add(_value);
264       Transfer(msg.sender, _receivers[i], _value);
265  ]
266  return true;
267 }
268}
  1. Because many projects simply copy and paste code from other projects instead of writing their own.

  2. As a result, there is no established response to security threats when attempting to remedy vulnerable contracts like there is in traditional software development.

  3. OKEx made an announcement that they were suspending BeautyChain due to the vulnerability, but most large exchanges do not coordinate with each other, so this is not an ultimate solution to the vulnerability. Other exchanges may have done something after the discovery, however, there are many decentralized exchanges with offline capabilities that have no means to halt the trade of affected tokens.

  1. How was the bug discovered?

By an automated system developed by the security company PeckShield for analyzing ERC-20 token transactions. This system also sends out automatically alerts if anything suspicious occur, like in this case, an extraordinarily huge amount of BEC has been transferred.

  1. What is this vulnerability called?

batchOverflow

  1. Which function is vulnerable?

batchTransfer()

  1. Why was the vulnerability present in several ERC20 tokens?

ERC-20 tokens are often reusing code from other tokens, in this way the vulnerability could easily spread among them, especially because it’s a common function in these contracts.

  1. Why is “code is law” mentality problematic when it comes to fixing bugs?

The smart contract is seen to be immutable and lasting forever, and its code act as the fundament of trustless and voluntary transactions. The code is law. Thus, even bugs are part of the contract in this mentality and individuals are responsible for themselves and should consider these bugs before using the contract. Providing an option for updating implies that one must trust at least the developer team and that they wouldn’t just implement another exploit serving themselves or altering the code in another unwanted way.

  1. How did exchanges react to this vulnerability?

By suspending affected tokens

1 - By an automatic alarm about suspicious operations
2 - batchOverflow
3 - batchTransfer()
4 - Because those one took the standar code with that vulnerability
5 - Because you can rewrite the smart contrat to fix it
6 - Some ones stop the withdrawals, other ones could delist the tokens… but we still have some issues with the DEXs

1.How was the bug discovered?
With a system that automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur.

  1. What is this vulnerability called?
    BatchOverflow.

  2. Which function is vulnerable?
    The Vulnerable Function: batchTransfer().

  3. Why was the vulnerability present in several ERC20 tokens?
    The same function is reused with the same vulnerability.

  4. Why is “code is law” mentality problematic when it comes to fixing bugs?
    Because-Changes in code are very hard ( almost impossible) to implement.

  5. How did exchanges react to this vulnerability?
    OKEx made an announcement to suspend the withdrawal and trading of BeautyChain ( BEC), a batchOverflow-affected token. However, other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow! The presence of non-centralized exchanges with offline trading services might pose additional challenges as they cannot even stop attackers from laundering their tokens.

  1. By monitoring unusual transactions on the BEC token transactions.
  2. Batch Overflow.
  3. batchtransfer().
  4. Because it is a common function in ERC20 token contracts.
  5. Once deployed, a contract is in-effect immutable. Meaning it becomes ‘law’
  6. Uncoordinatedly.

Hyperinflation Vulnerability Homework

1. How was the bug discovered?
PeckShield developed an automated system to scan and analyze ERC-20 token transfers. This automated system detected an unreasonablly large token transfer caused by batch overflow due to a computational product integer overflow issue within the ERC-20 source code.

2. What is this vulnerability called?
Batch overflow

3. Which function is vulnerable?
BatchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
Because programmers copied each others code replicating the BatchOverFlow vulnerability.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
There was no traditional well-known security response mechanism to remedy vulnerable contracts.

6. How did exchanges react to this vulnerability?
OKEX exchange suspended the trading and withdrawal of BeautyChain (BEC) tokens.

  1. How was the bug discovered? The bug was discovered by an automated system developed by Pecksheild, that scans the Ethereum blockchain to monitor for suspicious ERC 20 token transactions.

  2. What is this vulnerability called? The vulnerability is called batchOverflow.

  3. Which function is vulnerable? The batchTransfer function is vulnerable.

  4. Why was the vulnerability present in several ERC20 tokens? The vulnerability was present in several ERC20 since the code is being “shared” the bugs are inherited if they go unnoticed.

  5. Why is “code is law” mentality problematic when it comes to fixing bugs? It is problematic because there are few traditional solutions that maintain the core principle of immutability on the blockchain. There is division on how these vulnerabilities can be handled by the various communities.

  6. How did exchanges react to this vulnerability? One exchange suspended trading and withdrawal however many centralized exchanges are still trading tokens with this vulnerability. It is even more complex to coordinate a response on decentralized exchanges.

  1. How was the bug discovered?
    PeckShield’s automated system detected the unusually large token transfer as it sent an alert.
  2. What is this vulnerability called?
    batchOverflow
  3. Which function is vulnerable?
    batchTransfer
  4. Why was the vulnerability present in several ERC20 tokens?
    A lot of ERC20 tokens are created using most of the same code from other tokens.
  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    Contracts are basically immutable once they are deployed, there is no traditional well-known security response mechanism in place to remedy vulnerable contracts.
  6. How did exchanges react to this vulnerability?
    There is no ultimate solution that all exchanges follow and any halts would not be coordinated, there are exchanges that have offline functions that would not even be able to halt trading of an effected token.

1. How was the bug discovered?
By an automated system that scans ERC-20 transfers, to look for anomalies.

2. What is this vulnerability called?
An overflow, in this case it was called batchOverflow

3. Which function is vulnerable?
batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
Because most ERC20 tokens share and reuse the same code.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
A contract that is deployed on the blockchain I immutable and can’t be changed, so what’s written in the code is “the law”. Fixing any bug requires change in the code, which cannot be done without deploying a new contract.

6. How did exchanges react to this vulnerability?
OKEx announced a suspension in trading this token, but it’s a wild west out there, so other exchanges did not react. Also other tokens with similar problems were (are) still tradable.

1 Like
  1. Blockchain security company called PeckShield Inc. developed an automated system to scan and analyze Ethereum-based (ERC-20) token transfers. On 4/22/2018, 03:28:52 a.m. UTC, thieir system raised an alarm after discovering unusual “BEC” token transaction.
  2. This vulnerability is called “batchOverflow”.
  3. The batchTransfer function is vulnerable.
  4. The vulnerability was present in several ERC20 tokens because ERC20 token is a standard. Code for creating toens based on ERC20 tokens was copied by a lot of parties that issued different tokens.
  5. The “code is law” mentality is problematic when it comes to fixing bugs, tbecause here are no traditional well-known security response mechanism in place in Etehereum blockchain to remedy vulnerable contracts.
  6. OKEx made an announcement to suspend the withdrawal and trading of BeautyChain BEC token.
1 Like
  1. Built on our earlier efforts in analyzing EOS tokens, we have developed an automated system to scan and analyze Ethereum-based (ERC-20) token transfers. Specifically, our system will automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur.

  2. batchOverflow

  3. batchTransfer

  4. They just copy much of their code from other ERC20 tokens (?)

  5. There Code is Law, this code is leading and can’t be erased from the blockchain. Only an update will probably fix it but it needs more work than just changing a simple code snippet.

  6. OKEx suspended trading responses from other exchanges is unknown.

1 Like

1. How was the bug discovered?
By transfering axtremly large omount of BEC token!

2. What is this vulnerability called?
BatchOverflow.

3. Which function is vulnerable?
batchTransfer();

4. Why was the vulnerability present in several ERC20 tokens?
Reused functuion.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!

6. How did exchanges react to this vulnerability?
OKEx made an announcement to suspend the withdrawal and trading of BeautyChain ( BEC ), a batchOverflow-affected token. However, other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow!

1 Like