Hyperinflation Vulnerability - Reading Assignment

#1

Answer the questions below:

1. How was the bug discovered?
2. What is this vulnerability called?
3. Which function is vulnerable?
4. Why was the vulnerability present in several ERC20 tokens?
5. Why is “code is law” mentality problematic when it comes to fixing bugs?
6. How did exchanges react to this vulnerability?

#2

1. How was the bug discovered?

By an alarm raised by security team’s transaction monitoring system.

2. What is this vulnerability called?

batchOverflow

3. Which function is vulnerable?

batchTransfer

4. Why was the vulnerability present in several ERC20 tokens?

I guess, the reason is "ERC20 token is a standard, so it felt safe to take someone’s else implementation (for example from OpenZeppelin or another similar source, or some ERC20 contract published by another well known and respected company) and apply it to your token.

5. Why is “code is law” mentality problematic when it comes to fixing bugs?

The blockchain is immutable by design. So if the contract contains bugs, the only way is to create a new one and abandon the existing one (and abandon all the ether it holds, I guess).
Note: The upgradeable proxy contracts are out of scope for this lecture, I guess.

6. How did exchanges react to this vulnerability?

The price of the cryptocurrency (or fiat currency) might peak since the demand goes up as the owner of exploited tokens starts to sell them in order to make a profit.

#3
  1. A huge amount of BEC tokens was transferred, raisin an alarm.
  2. batchOverflow
  3. batchTransfer
  4. Probably the same functions get reused, so the vulnerabilities are also copied there.
  5. smart contracts are immutable, they are not supposed to be changed, and fixing would require a change.
  6. OKEx responded with suspension of trading, but other exchanges were too slow to react.
#4
  1. An alert generated from a blockchain security company’s “automated system [developed] to scan and analyze Ethereum-based (ERC-20) token transfers.”
  2. “batchOverflow is essentially a classic integer overflow issue”
  3. batchTransfer()
  4. ERC20 tokens commonly use boilerplate code
  5. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
  6. Uncoordinatedly.
#5
  1. An alert generated from a blockchain security company’s “automated system [developed] to scan and analyze Ethereum-based (ERC-20) token transfers.”
  2. “batchOverflow is essentially a classic integer overflow issue”
  3. batchTransfer()
  4. ERC20 tokens commonly use boilerplate code
  5. Spirit of the law vs letter of the law. Siding with letter of the law assumes perfection. Seems there’s no good way to remedy imperfection with letter of the law. Updates are not meant to be done ideally, because it’s assumed perfect.
  6. Uncoordinatedly.