Cryptocurrency exchanges suspend trading of ERC-20 Tokens due to a new smart contract bug, called batchOverFlow

Recently there have been multiple cryptocurrency exchanges that have suspended the trading of ERC-20 Tokens due to a potential new smart contract bug, called batchOverFlow which was discovered in the early morning of April 25th. The cryptocurrency exchanges Poloniex, Changelly, Quoine, OKEx and HitBTC all have suspended deposits and withdrawals of all ERC-20 tokens, which are Ethereum-based tokens.

Huobi Pro separately announced on April 25 that it had suspended all coins, but had since then limited that to only involve ERC-20 tokens. This was due to a project called SmartMesh (SMT), that had claimed that their smart contract had been attacked and that there had been a ”Ethereum smart contract overflow vulnerability” in their contract code that had been exploited. Huobi Pro, which has an automated system that detects all abnormal deposits, discovered an abnormal transaction in and did not credit them.

The team behind SmartMesh later announced that it would take steps to prevent a price manipulation:

“The SmartMesh Foundation will take the equivalent amount of SMT to the counterfeit amount and destroy it to make up for the losses caused, and keep the total supply of SMT at the value of 3,141,592,653.”

On the 22nd of April, a user under the name of Ranimes, posted an article on Medium, with the title ”New batchOverflow Bug in Multiple ERC20 Smart Contracts”

”on 4/22/2018, 03:28:52 a.m. UTC, our system raised an alarm which is related to an unusual BEC token transaction (shown in Figure 1). In this particular transaction, someone transferred an extremely large amount of BEC token – 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000”

That is in fact 63 zeros and as Ranimes stated in the article, there was actually two identical token transfers from the same BeautyChain contract but to two different addresses. After further investigation they ran their system to scan and analyse other contracts which showed results, that more than a dozen of ERC-20 token contracts are also vulnerable to the batchOverflow exploit. They were also able to execute the exploit themselves with a successful transaction with a vulnerable contract, that is not tradable on any exchange. 

Although they found the exploit and could successfully validate it, they also mentioned in the article that there is no well-known security measure to prevent this:

”However, with the touted ”code-is-law” principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts”

BeautyChain acknowledged the exploit on their website.

The SmartMesh Foundation ended their statement with the following quote:

”In addition, SmartMesh would like to thank Huobi, OKEx, Gate, CEX, and the other exchanges for their great support and assistance in resolving this incident!”

And the loopholes have since then been repaired. 

This exploit and MyEtherWallet (MEW) which was under a DNS hack on the 25th of April do not seem to correlate.