Hyperinflation Vulnerability - Reading Assignment

1. How was the bug discovered?
	a. they scan erc20 token transfers and get an alert if there are suspicious transactions (e.g. involving unreasonably large tokens)
	
2. What is this vulnerability called?
	a. batchOverflow --> is essentially a classic integer overflow
	
3. Which function is vulnerable?
	a. batchTransfer()
	b. by transfer a large ammount of _value to two addresses (cnt = 2) you create an overflow so the amount value is zero
	c. the balance of the two receivers is increased by the extremely high _value without it costing the sender anything
	
4. Why was the vulnerability present in several ERC20 tokens?
	a. for proof o concept
	b. other token project use the coding from affected tokens - so they are also vulnerable
	
5. Why is "code is law" mentality problematic when it comes to fixing bugs?
	a. because there is no traditional way to fix bugs
	b. a deployed contract is immutabel
	
6. How did exchanges react to this vulnerability?
	a. by suspending affected tokens
2 Likes

How was the bug discovered? Earlier efforts in analyzing EOS tokens, an automated system was developed to scan and analyze Ethereum-based (ERC-20) token transfers. Specifically, the system will automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur.

What is this vulnerability called? batchOverflow

Which function is vulnerable? The Vulnerable Function: batchTransfer()

Why was the vulnerability present in several ERC20 tokens? Code from one ERC20 token was copied to another token.
Why is “code is law” mentality problematic when it comes to fixing bugs? The touted “code-is-law” principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!

How did exchanges react to this vulnerability? Other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow! The presence of non-centralized exchanges with offline trading services might pose additional challenges as they cannot even stop attackers from laundering their tokens.

2 Likes
  1. The bug was discovered from PeckShield Inc. (blockchain security company). They have a ystem which automatically scans the ethereum blockchain for suspicious transactions (e. g transaction with large amount of tokens)

  2. The vulnerability is called BatchOverflow.

  3. The function was called batchTransfer.

  4. The ERC20 token has some standard implementations which you can use. Furthermore it is free to copy and “fork” the code of some already deployed smart contracts which was done by several developers. That means when a smart contract implemented a bug which no one discovered yet, it could happen that other developers just take over this bug, because they think that smart contract is safe and well developed, especially when this smart contract/token belongs to a company with a high reputation.

  5. With the code is law approach there is no form of regulation, third party involvement or security mechanism which protect against vulnerabilities or fraud. When you accept the interaction between the smart contract and you, the code decides what happens. When you are not able to understand what happens inside you are completely at the mercy. That being said, when there is a bug coded in the smart contract and the contract is already deployed, there is nothing you can do. The bug will exitss forever. (Unless an upgradeable proxy contract is used, but this was no the question I think.)

  6. The exchanges suspend the withdrawal and trading.

2 Likes
  1. How was the bug discovered?

The system automatically sent out an alert that someone has transferred an extremely large amount of BEC token.

  1. What is this vulnerability called?

batchOverflow

  1. Which function is vulnerable?

batchTransfer

  1. Why was the vulnerability present in several ERC20 tokens?

Because it is a common function in ERC20 token contract.

  1. Why is “code is law” mentality problematic when it comes to fixing bugs?

There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!

  1. How did exchanges react to this vulnerability?

The exchanges suspended the withdrawal and trading of BeautyChain ( BEC ).

1 Like
  1. It is discovered by a monitoring program when the transaction amount exceeds a suspicious limit
  2. Batch Over Flow
  3. batchTransfer()
  4. Most likely the code is copy and pasted around without proper testing
  5. Code is law doesn’t allow for fixing the code. You have to terminate the existing contract and move to a newer contract
  6. Exchanges froze large transaction of BEC coins so the attacker cannot cash out to other top coins such as BTC or ETH
1 Like

How was the bug discovered?

A huge amount showed up on a BEC token transaction.

What is this vulnerability called?

batch overflow

Which function is vulnerable?

Batch transfer

Why was the vulnerability present in several ERC20 tokens?

Copy paste from existing tokens

Why is “code is law” mentality problematic when it comes to fixing bugs?

In smart contracts the idea is that they should remain unchanged after deployment.
Any security that is in place with not be checking down to code level.

How did exchanges react to this vulnerability?

They removed affected tokens from supply

1 Like

How was the error discovered?
Because the company Peck Shield developed an automatic token transfer scanning system (ERC-20) in its effort to analyze EOS tokens.

What is this vulnerability called?
It is called batchOverflow.

Which function is vulnerable?
The batchTransfer function.

Why was the vulnerability in multiple ERC20 tokens present?
Since ERC20 is a standard, many developers recycle code from other projects.

Why is the “code is law” mentality problematic when it comes to correcting mistakes?
Because there is no response mechanism to correct these vulnerable contracts.

How did exchanges react to this vulnerability?
Stopping the withdrawal and exchange of the token, the problem is the DEX where they could launder the tokens.

1 Like

1 - How was the bug discovered?

An automated system to scan and analyze Ethereum-based (ERC-20) token transfers, alerting for suspicious transactions involving unreasonably large tokens. In this case two transfers involving BEC tokens — 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000(63 0’s).

2 - What is this vulnerability called?

The vulnerability is called batchOverflow, which is essentially a classic integer overflow vulnerability.

3 - Which function is vulnerable?

The vulnerability is on line 257 of the vulnerable function batchTransfer().

4 - Why was the vulnerability present in several ERC20 tokens?

Usually most projects are based off a ERC20 token contract written from a third-party. New project creators assume that the code is free of vulnerabilities.

5 - Why is “code is law” mentality problematic when it comes to fixing bugs?

A deployed contract is seen as immutable, like the blockchain. There is not a standard security response steps to handle newly discovered vulnerabilities.

6 - How did exchanges react to this vulnerability?

Exchanges do not have any in place response actions/teams that could handle such vulnerabilities. How do they stop trading of a faulty token? With extreme difficulty to they cannot. Some exchanges may react slightly better than another, but in general most exchanges are feckless.

1 Like

1. How was the bug discovered?
PeckShield’s automated system that scans and analyzes ERC-20 token transfers looking for anomalies.

2. What is this vulnerability called?
batchOverflolw

3. Which function is vulnerable?
batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
Copy/pasta

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
Since smart contract code is immutable, if the smart contract was not built to be specifically upgradable (proxy contracts), then bugs can’t be addressed, effectively killing the coin and its network effects.

6. How did exchanges react to this vulnerability?
OKEx announced the suspension of trading of the affected coin.

1 Like
  1. How was the bug discovered?
    by noticing a large amount of coins been transfer to a exchange which it was more then the total supply

  2. What is this vulnerability called?
    batchOverflow

  3. Which function is vulnerable?
    batchTransfer

  4. Why was the vulnerability present in several ERC20 tokens?
    well i think is because they all are ERC20 tokens and the structure is of the coin is very similar

  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    well the blockchain is meant to be immune to many things and since is so hard to debug it the most reasonable thing to do is move to a different blockchain

  6. How did exchanges react to this vulnerability
    they stop transactions and withdrawals from to prevent the hacker to profit out of the vulnerability of this specif blockchain …

1 Like

How was the bug discovered?
The UTC system raises an alarm in an unusual token transaction

What is this vulnerability called?
Batch Overflow

Which function is vulnerable?
Batch Transfer

Why was the vulnerability present in several ERC20 tokens?
It is a common function in ERC20 token contract.

Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no established response to security threats when trying to fix vulnerable contracts like there is in traditional software development.

How did exchanges react to this vulnerability?
Exchange suspended the trading and withdrawal of tokens.

1 Like

1. How was the bug discovered?
An unreasonable large tokens transfer was identified.

2. What is this vulnerability called?
batchOverflow

3. Which function is vulnerable?
function batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?
batchOverflow is commonly present in those ERC20 tokens.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security response mechanism in place.

6. How did exchanges react to this vulnerability?
Some exchange reacts quickly to it by suspending the withdrawal and trading, while the other not.

1 Like
  1. They had an automated scanner to scan all the suspicious ERC-20 token transactions.
  2. This vulnerability was called the batchOverflow vulnerability.
  3. The function in the BeautyChain contract that had the vulnerability was called batchTransfer().
  4. ERC20 tokens usually follow a certain boilerplate code. This caused the developers to miss out on bugs they could have caught if they had built it themselves
  5. The contract is immutable once deployed on the blockchain. This causes issues when there needs to be an immediate update to fix a bug.
  6. Some exchangers were swift in handling such a problem but some didn’t implement measures for a long time.
2 Likes
  1. How was the bug discovered?
    An automated system scanned for suspicious ERC20 transactions.

  2. What is this vulnerability called?
    Batch Overflow

  3. Which function is vulnerable?
    batchTransfer()

  4. Why was the vulnerability present in several ERC20 tokens?
    Code was being reused without the actual understanding of how it works.

  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    Once code is deployed there is no way to change it. There is no way to fix these vulnerabilities without deploying a new smart contract.

  6. How did exchanges react to this vulnerability?
    OKEx announced that they would halt trading due to the vulnerability. A lot of large exchanges do no talk to one another though. Dexs have no way to halt trading of these effected tokens.

1 Like
  1. How was the bug discovered?
    Automated alert system for ERC20 transfers

  2. What is this vulnerability called?
    batchOverflow

  3. Which function is vulnerable?
    batchTransfer()

  4. Why was the vulnerability present in several ERC20 tokens?
    Their scan revealed that dozens of other ERC20 contracts used the same function and were vulnerable to this batchOverflow

  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    Because at times, the code is flawed, and by reflexive logic, the code cannot be law - there should be mechanisms to remedy vulnerable contracts.

  6. How did exchanges react to this vulnerability?
    Some like OKEx suspended withdrawal for BEC

1 Like
  1. The bug was discovered when an automated system that scans and analyzes Ethereum-based token transfers detected two transfers of extremely large numbers of BEC tokens.
  2. The discoverers of the bug refer to the pertinent code vulnerability as “batchOverflow.”
  3. The name of the vulnerable function is “batchTransfer.”
  4. The vulnerability was shared by several kinds of tokens because of similarities or commonalities in the contract code on which these tokens are based.
  5. The code-is-law principle, it seems to me, defines the blockchain as an open information space in which there do not exist any traditional notions of right and wrong or legal and illegal. The only form of “legality” that is recognized and affirmed in the world of the blockchain is the factual reality of code and code execution. Consequently, there is no overarching legal structure or court of law that anyone who discovers a code vulnerability can appeal to in order ensure the vulnerability’s elimination and non-exploitation.
  6. The exchanges reacted in a non-uniform manner. On the OKEx exchange the trading and withdrawal of the BEC token was suspended, but on other exchanges it was not. Moreover, there also was no uniform effort to disallow the trading of other tokens with the same batchOverflow vulnerability.
1 Like

1- The bug was discovered when an attacker sent a transaction involving an unusually high amount of BET tokens.
2- batchOverflow
3- batchTransfer
4- Because dev teams just copy and paste their ERC-20 logic apparently without checking to make sure the code is audited!
5- Because if you have a bug in your contract that you didn’t anticipate, you’re stuck with that until the end of time.
6- By suspending withdrawals and deposits in the token.

1 Like
  1. The bug was discovered by an automated system to scan and analyse ERC-20 token transfers which raised an alarm about a transfer of an extremely large amount of BEC

  2. This vulnerability is called batchOverflow

  3. The function batchTransfer is vulnerable

  4. Other ERC20 tokens based on the same code are vulnerable

  5. “Code is law” is problematic because there is no traditional well-known security response mechanism in place to fix bugs in vulnerable contracts

  6. The response of exchanges was not coordinated, OKEx suspended withdrawal and trading of BEC, others did not

1 Like

1. How was the bug discovered?
By an alarm raised by an automated system made to scan and analyze ERC-20 token transfers.

2. What is this vulnerability called?
The vulnerability is called batchOverflow.

3. Which function is vulnerable?
batchTransfer()

4. Why was the vulnerability present in several ERC20 tokens?
They used similar token contract.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security mechanism in place to remedy vulnerabilities.

6. How did exchanges react to this vulnerability?
They suspended withdrawal and trading of the tokens.

1 Like
  1. System raised an alarm which is related to an unusual BEC token transaction.
  2. batchOverflow.
  3. batchTransfer.
  4. Because the code was commonly used as standard.
    5.There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.
    6.OKEx made an announcement to suspend the withdrawal and trading of BeautyChain BEC token.
2 Likes