The vulnerable batchTransfer function

batchOverflow and proxyOverflow present an unfortunate but critical message: smart contract auditing is vital. The bugs themselves are fairly simple and are able to be executed readily. These bugs work by performing an attack known as “integer overflow.” Integer overflow occurs when trying to place an integer (a whole number) into a space in memory that is too large for the integer data type.

In application, what this means is that by flooding the system with a number too large for use an attacker could create an additional supply of tokens that do not exist within the system. For exchanges, this presents an immense attack vector, as token minting can occur without necessary sanity checks that properly assure issuance of the token. In relevant transactions, this will appear to mint tokens out of seemingly nothing.

That is how the bugs were initially caught. On April 22nd, PeckShield’s automated system scanning for unusual activity in ERC20 token transfers noted that an anomalously large amount of token had been transferred in BEC (BeautyChain). After the transfer, the PeckShield team analyzed the BeautyChain contract for vulnerabilities — and found batchOverflow. A brief synopsis is available on Medium concerning batchOverflow and proxyOverflow.

Although not every ERC20 token was open to this vulnerability — and it should be noted that the flaw is not within the ERC20 standard itself — many contracts were published that never were checked for these potential exploits.

To serve our community, Quantstamp has contacted affected tokens and their relevant exchanges to assist at cost. We won’t be making a profit from our effort to make the Ethereum ecosystem more secure.

Catching vulnerabilities before contracts go live is a better solution than rapid patches. We would love to help you solve these issues in advance, please contact security@quantstamp.com for more information.