OKEx – a popular digital asset trading platform which provides fiat-to-cryptocurrency, cryptocurrency-to-cryptocurrency, and derivatives trading services – has suspended the deposit of all ERC-20 tokens after discovering a smart contract bug. Pending deposits are reportedly safe, however.
The bug in question purportedly allows attackers to more easily manipulate price on the platform. Therefore, to protect market integrity on the platform, OKEx has stopped the flow of incoming ERC-20 tokens. In an official blog post, the company announced:
We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – “BatchOverFlow”. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.
To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack.
If you have already made a deposit request on the platform, OKEx has assured users that their tokens are safe and sound:
If you have already made a deposit request, your funds will arrive safely after our deposit service resumed. We apologize for any inconvenience caused.
Changelly, another popular cryptocurrency trading service, has also suspended ERC20 token trading in response to the news of the exploit.
Dear Customers, ERC20 tokens are temporarily unavailable due to an exploit check. We will bring them back, once we are sure there is no vulnerability in deposits received. Follow the updates! https://t.co/qYutri4X3X
— Changelly.com (@Changelly_team) April 25, 2018
Not so “Smart”
The exploit was apparently discovered on April 22, when Coinmonks wrote that their “system raised an alarm which is related to an unusual BEC token transaction.” The authors further noted:
In this particular transaction, someone transferred an extremely large amount of BEC token — 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000 (63 0’s - In fact, there’re actually two such large token transfers, with each transfer involving the same amount of tokens from the same BeautyChain contract but to two different addresses).
Furthermore, the authors claim that their “results show that more than a dozen of ERC20 contracts are also vulnerable to batchOverflow” – hence the deposit freeze of all ERC-20 on OKEx.
The authors also note that “with the touted ‘code-is-law’ principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!”
In February, Bitcoinist also reported on research which revealed that upwards of 34,200 smart contracts in circulation currently feature coding bugs, potentially exposing millions of dollars to potential theft.
What do you think of the latest example of smart contracts acting stupid? Let us know in the comments below!
Images courtesy of Wikimedia Commons, Pixabay