OKEx Suspends ERC20 Deposits on Discovery of Critical Ethereum Smart Contract Bug

Cryptocurrency exchange OKEx has suspended deposits of all ERC20 tokens after the alleged discovery of a serious bug in at least 12 smart contracts built to this token standard.

In a statement published Tuesday, the Hong Kong-based exchange -- third-largest in the world as measured by daily trading volume -- announced the suspension of deposits, explaining that attackers have exploited a newly-discovered smart contract bug called “batchOverflow” to generate “an extremely large amount of tokens” out of thin air and then deposit them into a normal Ethereum address.

From the statement:

“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug - 'BatchOverFlow'. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”

“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack,” the exchange operator added.

Changelly, a cryptocurrency trading service that acts as a broker between users and exchanges, has also suspended ERC20 token trading in response to the exploit.

A Medium post published over the weekend claims to have discovered the vulnerability, which the author says affects “more than a dozen ERC20 contracts.”

According to the post, batchOverflow is a “classic integer overflow” issue, which occurs when an operation attempts to use a numeric value outside of the range that the variable is able to represent with its allocated number of bits.

The post includes a proof-of-concept, which appears to show the researchers generating a nearly unlimited amount of tokens from a vulnerable ERC20 token contract.

Source: Coinmonks/Medium

It’s currently unclear how many and what specific tokens are affected by the bug, though it appears that BeautyChain (BEC) was among the first to be exploited, and exchanges first began to suspend BEC trading on April 22 and in some cases have rolled back BEC trades.

This story is developing. Follow CCN for continued coverage.

Josiah Wilmoth @Y3llowb1ackbird

Josiah is the US Editor at CCN, where he focuses on financial markets and cryptocurrencies. He has written over 2,000 articles since joining CCN in 2014. His work has also been featured on ZeroHedge, Yahoo Finance, and Investing.com. He holds bitcoin, but does not engage in day trading. He lives in rural Virginia. Follow him on Twitter @y3llowb1ackbird or email him directly at josiah.wilmoth(at)ccn.com.

News Tip?

tips (at) ccn.com

About CCN.com

CCN.com, also known as CCN Markets, is a financial news site reporting on Market News and Gaming. Op-eds and opinions should not be attributed to CCN Markets. Journalists on CCN Markets follow a strict ethical code that you can find here. You can contact us here. You can read more about us here. Find our journalists here. U.S. Office: New Jersey, USA. Twitter. Facebook. LinkedIn. Youtube.

We are using cookies for third-party applications like Twitter, Youtube embeds, Google Analytics and Google AdSense.

Privacy Policy