It finally happened: Ethereum received its first branded vulnerability. Security startup PeckShield reported batchOverflow, an integer overflow vulnerability in an ERC20 token contract that allows attackers to create arbitrary amounts of tokens out of thin air.

In this article, I’ll show how to detect batchOverflow and similar issues in both Solidity source code and contract instances on the Ethereum blockchain.

Source Code Analysis

One of multiple live smart contracts affected by batchOverflow is the Beautychain (BEC) token contract. To analyze BEC token, I first obtained its verified source code from Etherscan and saved it in a local Solidity file named BecToken.sol .

The first important thing to note is that the Solidity file contains multiple contract and library classes, and we’ll have to tell Mythril which class to analyze. Here, we want to select the main contract class named BecToken . Note that all library functions used by BecToken as well as its parent contracts will be implicitly included in the analysis. The syntax for running security analysis on Solidity files is myth -x <Soldityfile>[:contract_name] .

$ myth -x BECToken.sol:BecToken ==== Exception state ====

Type: Informational

Contract: BecToken

Function name: transfer(address,uint256)

PC address: 5162 A reachable exception (opcode 0xfe) has been detected. This can be caused by type errors, division by zero, out-of-bounds array access, or assert violations. This is acceptable in most situations. Note however that `assert()` should only be used to check invariants. Use `require()` for regular input checking.

--------------------

In file: BECToken.sol:28 assert(c >= a)

-------------------- ==== Integer Overflow ====

Type: Warning

Contract: BecToken

Function name: transfer(address,uint256)

PC address: 5149 A possible integer overflow exists in the function `transfer(address,uint256)`. The addition or multiplication may result in a value higher than the maximum representable integer. --------------------

In file: BECToken.sol:27 a + b -------------------- ==== Integer Overflow ====

Type: Warning

Contract: BecToken

Function name: batchTransfer(address[],uint256)

PC address: 2362 A possible integer overflow exists in the function `batchTransfer(address[],uint256)`. The addition or multiplication may result in a value higher than the maximum representable integer. --------------------

In file: BECToken.sol:257 uint256(cnt) * _value --------------------

Mythril reports a total of three issues. The output shows the program counter address, line number, and source code associated with each issue. The first two issues reported are an integer overflow and an exception in line 27 and 28, respectively. These code lines form part of the function add in the SafeMath library.

As it turns out, an integer overflow can indeed occur in line 27. The purpose of the assert in line 28 is to revert the transaction if the overflow occurs. This assertion-after-the-fact pattern effectively prevents the integer overflow from having any lasting effects (we’re currently teaching Mythril to discern this pattern, but its current version reports a regular overflow).

The third detected issue is the batchOverflow vulnerability. Again, Mythril outputs the line number and code associated with the issue.

In file: BECToken.sol:257 uint256(cnt) * _value

In line 257, the length of the array receivers is multiplied with an arbitrary user-supplied value, allowing for the integer overflow to happen.

On-Chain Analysis

Mythril can also analyze live contract instances and we should expect to find the same issues in the BECToken contract running on the main net. The easiest way to analyze a contract on the blockchain is using INFURA (the -i argument).

$ myth -xia 0xC5d105E63711398aF9bbff092d4B6769C82F793D (...) ==== Integer Overflow ====

Type: Warning

Contract: 0xC5d105E63711398aF9bbff092d4B6769C82F793D

Function name: batchTransfer(address[],uint256)

PC address: 2362

A possible integer overflow exists in the function `batchTransfer(address[],uint256)`. The addition or multiplication may result in a value higher than the maximum representable integer. --------------------

As expected, Mythril detects the same three issues as in the source code analysis, including batchOverflow.

TL;DR

Mythril reliably detects integer underflows and overflows such as batchOverflow, but inspection of the source code is required to verify whether a particular overflow causes an exploitable vulnerability — assessing this often requires an understanding of the smart contract’s business logic.

To analyze Solidity code for integer overflows, run myth -x <Soldityfile>[:contract_name] . To analyze on-chain instances, run myth -xia <address> .

For installation instructions check out the Mythril README.

About Mythril and MythX

Mythril is a free and open-source smart contract security analyzer. It uses symbolic execution to detect a variety of security vulnerabilities.

MythX is a cloud-based smart contract security service that seamlessly integrates into smart contract development environments and build pipelines. It bundles multiple bleeding-edge security analysis processes into an easy-to-use API that allows anyone to create purpose-built smart contract security tools. MythX is compatible with Ethereum, Tron, Vechain, Quorum, Roostock and other EVM-based platforms.