Recently, a Batch Overflow bug affecting ERC20 tokens has shut down trading on many cryptocurrency exchanges. Rest assured that your TRST tokens and financial dApps are not affected by this bug. Read on for a brief overview of this pesky bug, and why it doesn’t affect WeTrust’s products.

The Batch Overflow bug occurs due to a Batch Transfer function call that is not part of the original ERC20 standard. The function in question performs a multiply that is able to overflow 256 bits, the maximum allowed value in an ERC20 token. Essentially, Ethereum allows developers to track up to (2²⁵⁶-1) values. That’s a value larger than the number 1 with 77 zeros following it! However, certain calculations can result in a value greater than the maximum allowed value. At that point, the Ethereum computer responds by dropping the largest digit and keeping only the lower digits.

As an example, imagine you have a computer that only allows you to have numbers up to five digits (i.e. up to 99,999). Say you are trying to multiply two of them:

510

x300

— — — —

153,000

The result of the multiplication is the number 153,000, but we just said our computer can only handle numbers up to five digits. That means the sixth digit, the 1, gets dropped, leaving us with 53,000. Imagine the same thing happening with binary values (that is, numbers represented using only 0’s or 1’s) that can be up to 256 bits long, and you see how ERC20 tokens can overflow and behave in unintended ways.

To prevent these overflow situations from occuring, developers often use the Solidity safeMath library, provided as an open source library by OpenZeppelin. safeMath checks to make sure that the result of any calculation is correct and that no overflow has occurred. It does this by dividing the result of any multiplication by one of the original multipliers, by making sure the result of any addition is larger than the original values, and by checking that no negative numbers can result from a subtraction.

In the case of the Batch Overflow bug, a piece of code multiplied two numbers without using safeMath to check the correctness of the multiplication. The code was intended to allow a Batch Transfer, in which a certain amount of tokens can be transferred to multiple wallets with a single transaction, saving gas in the process. The code seems to have been copied and pasted by multiple developers, exposing a variety of tokens to the bug. In this case, the overflow can allow an unscrupulous person to create additional instances of the affected tokens “out of thin air”, allowing them to counterfeit the buggy tokens.

WeTrust’s TRST tokens and Trusted Lending Circles are NOT affected by this bug. Our hardworking software development team takes security very seriously, and has made sure that both our tokens and the products powered by them are not susceptible to these type of hacks.

Our users are protected from this bug because:

TRST is an ERC20 token, but DOES NOT implement the non-standard Batch Transfer function that causes this bug. We do not perform any multiply that can lead to overflows in our transfer functions. In fact, we don’t perform any multiplies in our token code at all! All of the token transactions occur as additions. In our Trusted Lending Circles Smart Contract, we always validate the results of our calculations with the same safeMath assertions. If the result is false, the Smart Contract will throw an error. Our Smart Contracts have all been independently audited by security firms, including Quantstamp, ABDK, and OpenZeppelin, the creators of the safeMath library.

When implemented the right way, blockchain technology is highly secure and incredibly difficult to hack. However, writing secure code on the blockchain requires a great deal of care and discipline. Bugs such as Batch Overflow emphasize the importance of taking proactive measures to keep decentralized applications safe.

As the blockchain ecosystem matures, we expect to see the emergence of more tools, techniques and best practices for security. Keeping our Smart Contracts safe requires extra work from our software developers and our outside auditors, but it’s absolutely worth it to create products that our customers can completely TRUST.