Hyperinflation Vulnerability - Reading Assignment

Answer the questions below:

1. How was the bug discovered?
2. What is this vulnerability called?
3. Which function is vulnerable?
4. Why was the vulnerability present in several ERC20 tokens?
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
6. How did exchanges react to this vulnerability?

1. How was the bug discovered?

By an alarm raised by security team’s transaction monitoring system.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

I guess, the reason is "ERC20 token is a standard, so it felt safe to take someone’s else implementation (for example from OpenZeppelin or another similar source, or some ERC20 contract published by another well known and respected company) and apply it to your token.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

The blockchain is immutable by design. So if the contract contains bugs, the only way is to create a new one and abandon the existing one (and abandon all the ether it holds, I guess).
Note: The upgradeable proxy contracts are out of scope for this lecture, I guess.

6. How did exchanges react to this vulnerability?

The price of the cryptocurrency (or fiat currency) might peak since the demand goes up as the owner of exploited tokens starts to sell them in order to make a profit.

  1. A huge amount of BEC tokens was transferred, raisin an alarm.
  2. batchOverflow
  3. batchTransfer
  4. Probably the same functions get reused, so the vulnerabilities are also copied there.
  5. smart contracts are immutable, they are not supposed to be changed, and fixing would require a change.
  6. OKEx responded with suspension of trading, but other exchanges were too slow to react.
  1. An alert generated from a blockchain security company’s “automated system [developed] to scan and analyze Ethereum-based (ERC-20) token transfers.”
  2. “batchOverflow is essentially a classic integer overflow issue”
  3. batchTransfer()
  4. ERC20 tokens commonly use boilerplate code
  5. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
  6. Uncoordinatedly.
  1. An alert generated from a blockchain security company’s “automated system [developed] to scan and analyze Ethereum-based (ERC-20) token transfers.”
  2. “batchOverflow is essentially a classic integer overflow issue”
  3. batchTransfer()
  4. ERC20 tokens commonly use boilerplate code
  5. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
  6. Uncoordinatedly.
  1. How was the bug discovered?
    The bug was discovered by the system raised an alarm which is related to an unusual BEC token transaction.
  2. What is this vulnerability called?
    batchOverflow Bug in Multiple ERC20 Smart Contracts
  3. Which function is vulnerable?
    batchTransfer()
  4. Why was the vulnerability present in several ERC20 tokens?
    Because it is a common function in ERC20 token contract.
  5. Why is “code is law” mentality problematic when it comes to fixing bugs?
    there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts!
  6. How did exchanges react to this vulnerability?
    Uncoordinatedly.
  1. By an external company monitoring for unusual transactions on the BEC contract
  2. Batch Overflow
  3. batchtransfer()
  4. because the code was part of the standard ERC20 contract
  5. once deployed , a contract is in-effect immutable. meaning it becomes ‘law’
  6. some were quicker about suspending the token, others were too slow to react.

How was the bug discovered?
By using an automated systems that scanned for abnormal ERC20 based transfers

What is this vulnerability called?
batchOverflow

Which function is vulnerable?
The batchTransfer function

Why was the vulnerability present in several ERC20 tokens?
The article does not mention it but per Ivan this is due to code re-use without taking time to understand everything the copied code does.

Why is “code is law” mentality problematic when it comes to fixing bugs?
There is no traditional well-known security response mechanism in place to remedy these vulnerable contracts

How did exchanges react to this vulnerability?
OKEx suspended trading responses from other exchanges is unknown.