A smart contract vulnerability allowed hackers …

A smart contract vulnerability allowed hackers …

Smart contract vulnerability allowed hackers to withdraw 8 vigintillion BEC tokens

On Sunday, the popular cryptocurrency exchange OKEx suspended the withdrawal and trading of BeautyChain (BEC) tokens, citing “abnormal activity.” Coinmonks community on Medium shared more details about this activity.

They reported that they developed an automated system for scanning suspicious transfers of ERC20 tokens, which sent a distress signal on April 22..

As it turned out, someone deduced 8 vigintillion (value with 63 zeros) BEC from a smart contract.

A more detailed study of the contract revealed a previously unknown vulnerability, which members of the Coinmonks community called batchOverflow.

“The vulnerable function is located in batchTransfer in the following code:

As indicated on line 257, the internal variable amount is calculated as the product of cnt and _value. The second parameter, _value, can be specified as an arbitrary 256-bit value, say 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000 (63 zero). Having two _receivers skipped in batchTransfer () with this extremely large _value, we can overflow the amount and zero it out. After zeroing out amount, an attacker can bypass the check on lines 258-259 and make the subtraction on line 261 unusable. Here we come to the interesting part: as shown in lines 262-265, an extremely large _value will be added to the balance of the two recipients, which will not cost the attacker a cent! “

A smart contract vulnerability allowed hackers ...

The researchers were also able to repeat this operation with another smart contract, whose tokens are not traded on exchanges, and found a number of other contracts with a defect, to which tokens circulating on trading floors are tied..

They tried to warn the owners of smart contracts about the vulnerability, but the Ethereum principle of “code is law” makes this process difficult..

The vulnerability is especially problematic for decentralized exchanges, since they cannot even stop the attack. At the same time, huge volumes of tokens can be exchanged for bitcoins, Ethereum and other cryptocurrencies and used to manipulate the prices of all assets involved in transactions, just as it was during the phishing attack on the Binance exchange and the Viacoin pump.

A smart contract vulnerability allowed hackers ...
A smart contract vulnerability allowed hackers ...

Similar articles