Early Sunday morning, while monitoring transactions on the Ethereum blockchain, crypto security firm PeckShield was alerted to an unusually large trade. Their system had caught an unusual transaction — someone had created and transferred 58 vigintillion BEC tokens to two addresses (that’s 58 followed by 63 zeros). The firm analyzed the BEC smart contract and discovered a potential exploit that they named batchOverflow. They subsequently discovered the flaw in nine other token contacts:
- GG Token
- CNY Token
- CNY TokenPlus
The batchOverflow bug takes advantage of a rather simple exploit. In Solidity, the programming language of Ethereum contracts, a variable that grows too large eventually ‘overflows,’ meaning it rolls back to 0 and starts over.
You can see on line 257 that “amount” is the product of “cnt” and “_value.” If you submit a very large number for “_value”, “amount” becomes so big it rolls back to zero, resulting in no debit to the sender and a gargantuan credit to the receiver(s).
After PeckShield noticed the trades they notified OKEX the sole exchange trading BEC tokens, who shut down BEC trading later that day. The Beauty Ecosystem Coin is no stranger to controversy, having skyrocketed in value immediately after its creation
Two days later, hackers used the batchOverflow exploit to create large sums of another ERC20 token, Smart Mesh. Several major exchanges shut down trading of all ERC20 tokens, including Huobi, OKEX, HitBTC, and Poloniex.
Fortunately, this exploit seems to be fairly limited, not least because integer overflow is a very common issue, not limited to Solidity. Smart contract programmers normally use a SafeMath library, which catches integer overflows, and have their code audited by a third party. The vast majority of smart contracts are unaffected by this, and there is no bug within the Ethereum codebase. Huobi resumed trading after a few hours, Poloniex followed the next day.
The Saifu token smart contract was written by our experienced blockchain developers, uses the OpenZeppelin SafeMath library, and was audited by a reputable security firm. This means the SFU token should not be vulnerable to this exploit.