Many cryptocurrency exchanges and brokerage services have suspended ERC20 token deposits after researchers discovered a bug in at least a dozen smart contracts that allowed attackers to generate a virtually unlimited amount of tokens.
Researchers say that the bug, which was discovered over the weekend and is known as a type of integer overflow error, allowed attackers to manipulate a _value parameter that ensures that the value of the tokens transferred through a transaction is lower than the total number of tokens created by the contract. In short, the attackers managed to print a virtually unlimited number of tokens out of thin air.
In one instance, the attackers managed to generate 65,133,050,195,990,400,000,000,000,000,000,000,000,000,000,000.891004451135422463 fraudulent units of SmartMesh (SMT), whose total token supply is supposed to be fixed at 3,141,592,653.
In another, the attackers created 57,896,044,618,658,100,000,000,000,000,000,000,000,000,000,000,000,000,000,000.792003956564819968 BeautyChain (BEC) tokens through a single transaction.
Researchers say that they have found at least a dozen tokens that are vulnerable to the bug, though they have not provided an exhaustive list.
Importantly, the attack appears to have been executed through a function — batchTransfer — that is not present in the official ERC20 standard. This is one reason that only a small number of tokens appear to be vulnerable to the bug.
Nevertheless, many exchanges — including OKEx, Changelly, and Poloniex — suspended ERC20 deposits across the board while they investigate the issue further and have rolled back some trades involving the fraudulently-created tokens.
“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed,” OKEx wrote in a statement. “Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack.”
SmartMesh — one of the affected cryptocurrencies — said that it has reached agreements with a number of exchanges to “resolve losses” associated with the bug. The SmartMesh Foundation will also destroy an equivalent amount of SMT to the number of counterfeit tokens that are unable to be frozen or recovered to ensure that SMT’s token supply remains consistent.
Featured Image from Pixabay