An integer overflow bug in some ethereum ERC20 tokens that allows the printing of tokens out of thin air has been found, with around 12 relatively obscure projects affected.
The bug appears to be limited to implementation, or code practices, rather than anything protocol wide. It appears to basically be a coding mistake that allows anyone smart enough to invoke multiple transfers to different recipients and so in effect print tokens out of nothing.
A project called BeautyChain was affected, announcing: “on April 22, 2018, BEC’s prices fluctuate significantly due to the smart contract safety issue on the BEC. After the study by the Beauty Chain Foundation, the Beauty Chain has suspended all transactions and transfers… We will release new smart contracts as soon as possible.”
All in all around 12 contracts are known to be affected according to PeckShield researchers who in analyzing one piece of code (featured image) say:
“Both _fee and _value are input parameters which could be controlled by the attacher. If _fee + _value happens to be 0 (the overflow case), the sanity checks in line 206 could be passed. It means the attacker could transfer huge amount of tokens to an address (line 214) with zero balance.”
For extra precaution, OKex and Huobi Pro have suspended all ERC20 token deposits, with OKex stating just minutes ago:
“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – ‘BatchOverFlow’. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.
To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed.”
There is no BatchOverFlow bug according to some online devs comments with that being just a name derived from a BatchTransfer limited to the description of a function some smart contract dev thought of giving to one command within and limited to his own smart contract.
The issue here appears to be failure to use best practices by potentially just one dev who might have coded all of the affected smart contracts.
He appears to have failed to use the SafeMath library, which in very simple terms is a template of sorts that you kind of plug and play in smart contract coding to work with, as the name says, math that is safe.
That means being very careful with zeros, because that’s where overflows usually happen. And of course if you are not careful, ethereum is Turing complete, so anything can happen.
But as far as ethereum itself is concerned, or the ERC20 standard, or tokens in general, there appears to be no problem with it at this stage, the bug so seemingly limited to only what appears to be just bad code.