CertiK AutoScan Engine: 53 of the top 500 tokens by market cap were found to have vulnerabilities CertiK Follow Sep 1, 2018 · 5 min read

Within the blockchain ecosystem, a token may serve as both a store of value, as well as a digitized representation of real world assets. Gradually, the standardized implementation of tokens, together with unified APIs, have enabled much smoother communication between tokens/dApps, and in addition, processes around exchange listings have become much more consistent. To date, the most widespread token contract standard is Ethereum’s — which is commonly referred as ERC-20 — improvement proposed back in late 2015. The latest statistics show that there is a total of 112,446 ERC20 based token contracts on Etherscan, and the number is growing each day. Currently, the overall market value of Etherscan’s top 500 tokens is approximately 12 billion US dollars.

Since blockchain’s infancy, there have been several, catastrophic smart contract hacks, which have underscored the importance of blockchain security. To date, about 2 billion USD have been stolen as a result of attacks on Smart Contracts. In one of the most well-known examples, the hack of a major crowdfunding project, The DAO, resulted in losses of over $50 million USD. Over the months, similar hacks continued, consequently causing a decline in confidence within the blockchain world. However, a larger focus on security audits and verification has helped limit hacks and regain confidence in the community. For instance, the leading BlockExplorer for Ethereum, Etherscan, has 17 recommended security audit service providers, including CertiK, which is the premier smart contract auditing platform, created by some of the world’s top academics in formal verification.

CertiK has three major advantages over regular security audit service providers:

CertiK has a mature formal verification framework backed by thorough research that can mathematically prove whether smart contracts have security risks or bugs. CertiK has received high regard, not only in security, but also scalability. With smart labelling and a layer-based approach to verification, the platform is able to decouple complex smart contracts into different modules. This allows verification to be completed in a distributed manner, greatly enhancing efficiency and elasticity. Unlike traditional verification methods, which are completed manually and often time-consuming and error-prone, CertiK is highly automated. CertiK achieves this through its patented verification engine and algorithm that translates source code into machine checkable proof objects.

In late August, CertiK announced its most recent update to the industry by introducing the launch of a high-performance smart contract auto-detection engine: CertiK AutoScan Engine (CASE). After conducting a full inspection of token contracts on Etherscan (which took roughly 3 hours), the team has released the initial, desensitized scan results for industry reference. Among the top 500 tokens, 53 are impacted with different severity of loopholes, with a total market cap of 40 million. Among them, 70% of the smart contracts have integer overflow issues, while 30% have functional correctness issues.

GIF above shows CertiK Smart Contract automatic scanning verification platform AutoScan (For safety purpose, all contract names appeared above are replaced by random characters. Checkout video there: https://www.youtube.com/watch?v=K6GD6URJ8cQ

There are a total of 3 new types of critical bugs, 2 new types of medium bugs, and numerous bugs with low priority. Some of the newly revealed issues are mentioned below:

Unlimited Burn

Severity: Critical

Symptom: Once User A approves User B 1 token as allowance, User B will be able to drain/burn all the rest of the tokens from User A due to the flawed function implementation.

Total market cap of impacted smart contracts: $15,000,000. Unlimited Mint

Severity: Critical

Symptom: Contract owner can mint an unlimited amount of tokens. This puts the token holders at stake because the value of the tokens that they are holding may diminish as supply increases. This is subtle and cannot be easily spotted from the contract itself. It could also lead to fraud.

Total market cap of impacted smart contracts: $3,000,000. Token Transfer = Mint

Severity: Critical

Symptom: Contract owner can mint an unlimited amount of tokens through integer overflow or during token transfer.

Total market cap of impacted smart contracts: $16,000,000. Orphan Token

Severity: Medium

Symptom: Ownership transfer is not properly implemented. A contract may lose its owner when the ownership is transferred and fails. As a result, the contract can go wild and no one has permission to administer the contract. Underflow from Balance Withdrawal

Severity: Medium

Symptom: User gets fewer tokens than they should from balance withdrawal, due to an integer overflow issue.

Smart Contracts have attracted significant attention from hackers, as a result of their unique characteristics (i.e. immutability and transparency). Although there are ways to salvage a hacked project, such as a hard fork or a technical upgrade, the most effective means of ensuring safety is to vigilantly prevent the common types of attacks. CertiK’s latest product, ‘AutoScan,’ equips cryptocurrency exchanges with the ability to continuously monitor the tokens listed on their platforms. Issues are prevented before smart contracts are deployed into the main networks.

Due to security and safety concerns, CertiK will not be identifying the token names or locations of vulnerabilities that were identified to have issues by CertiK’s ‘AutoScan’ process. Instead, CertiK will be reaching out to these projects directly in order to help fully investigate these smart contracts. Once these issues have been resolved, and with the appropriate permissions, CertiK will publicly disclose the details around the vulnerabilities detected, the investigation process, and the solution implemented. Moving forward, the CertiK team will be contacting cryptocurrency exchanges to integrate with its ‘AutoScan’ service for routine scanning and monitoring. As the blockchain ecosystem continues to evolve, the hope is that, together as a community, we can achieve a higher level of smart contract and blockchain security.

About CertiK

CertiK is a blockchain and smart contract verification platform founded by top formal verification experts from Yale and Columbia University and former senior software engineers from Google and Facebook. Different from the traditional testing approaches, CertiK attempts to mathematically prove blockchain ecosystem and smart contracts are hacker-resistant and bug-free. CertiK’s key features include a layer-based decomposition approach, pluggable proof engine, machine-checkable proof objects, certified dApp libraries, and smart labelling.