Cryptocurrency exchange OKEx has suspended deposits of all ERC20 tokens after the alleged discovery of a serious bug in at least 12 smart contracts built to this token standard.
In a statement published Tuesday, the Hong Kong-based exchange — third-largest in the world as measured by daily trading volume — announced the suspension of deposits, explaining that attackers have exploited a newly-discovered smart contract bug called “batchOverflow” to generate “an extremely large amount of tokens” out of thin air and then deposit them into a normal Ethereum address.
From the statement:
“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – ‘BatchOverFlow’. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”
“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack,” the exchange operator added.
Changelly, a cryptocurrency trading service that acts as a broker between users and exchanges, has also suspended ERC20 token trading in response to the exploit.
Dear Customers, ERC20 tokens are temporarily unavailable due to an exploit check. We will bring them back, once we are sure there is no vulnerability in deposits received. Follow the updates! https://t.co/qYutri4X3X
— Changelly.com (@Changelly_team) April 25, 2018
A Medium post published over the weekend claims to have discovered the vulnerability, which the author says affects “more than a dozen ERC20 contracts.”
According to the post, batchOverflow is a “classic integer overflow” issue, which occurs when an operation attempts to use a numeric value outside of the range that the variable is able to represent with its allocated number of bits.
The post includes a proof-of-concept, which appears to show the researchers generating a nearly unlimited amount of tokens from a vulnerable ERC20 token contract.
It’s currently unclear how many and what specific tokens are affected by the bug, though it appears that BeautyChain (BEC) was among the first to be exploited, and exchanges first began to suspend BEC trading on April 22 and in some cases have rolled back BEC trades.
This story is developing. Follow CCN for continued coverage.