A newly discovered bug exploiting a smart contract vulnerability caused several exchanges to halt the deposit or withdrawal of ERC-20 tokens. The bug, called batchOverflow, allows manipulation of some smart contracts when attempting to transfer extremely large amounts of (non-existent) tokens. This causes an error in the code that then bypasses certain security measures.
The issue was first discovered when an anomaly was detected in the BeautyChain (BEC) blockchain. Someone transferred such a large amount of tokens (a number with 63 zeros) that it triggered the batchOverflow error and credited the person with the massive amount of tokens. This has security implications beyond the impact to BEC and could affect market prices at large.
Exchanges disable ERC-20 deposits and withdrawals
BEC, a relatively new token, is only listed on the Hong-Kong based OKEx exchange, which is billed as the third largest in the world by daily trading volume. OKEx announced that they are suspending deposits on all ERC-20 tokens following the discovery of the vulnerability. Poloniex also suspended deposits and withdrawals but has since reinstated functionality.
Known instances of the hack aren’t limited to BEC transactions. Smart contracts involving SmartMesh (SMT) tokens are also vulnerable to the batchOverflow exploitation. Huobi Pro announced they would suspend the withdrawal and deposit of all coins after someone attempted to move 10 quadrillion SmartMesh tokens. Regarding the transfer, Huobi stated that the abnormality was detected and they didn’t credit the transaction.
Dozens of tokens affected
While we don’t know the full extent to which the larger ERC-20 ecosystem is affected, we know it goes beyond BEC and SMT. According to the team that initially discovered the flaw, they examined other tokens and discovered dozens of projects that incorporated the faulty function. The full list was not made public, but attempts were made to reach out to the developers.
It’s worth noting that the flaw isn’t inherent to the structure of ERC-20 code itself, rather the issue lies in a problematic function included in some smart contracts. Not all smart contracts incorporate the function, but it isn’t known exactly how many or what they plan to do about it. The flaw is deeply concerning for the larger cryptocurrency economy, as bad actors could significantly manipulate market prices if it appeared as if they have an unimaginably large amount of a certain token.
‘Code-is-law’ vs ‘code-is-suggestion’
This issue, where someone causes smart contract code to behave in a way not intended by its creators, ties into an ongoing debate within the cryptocurrency community. By now there have been countless instances of smart contract manipulation, from the infamous DAO hack to newer instances like batchOverflow. Whether these acts are hacks or merely the discovery of unknown “features” in smart contracts lies in the eyes of the beholder (and whether or not you lost money in the event).
So far, the consensus seems to fall into the “code-is-suggestion” camp. Most high-profile exploitations of smart contracts have resulted in the blockchain being rolled back or forked to protect the assets of the well-intentioned. This causes issues at the core of the decentralized aspirations of the crypto community, as it requires a central authority to choose which users to credit: the “well-intentioned” or the code-savvy manipulators.