Researchers from the company analyzed Peckshield “anomalous trading activity with tokens BEC” on the crypto currency exchange OKex Sunday, April 22, and came to the conclusion that the site was attacked by hackers. Taking advantage of the vulnerability in the system of smart contracts batchOverflow, they were able to bring 8 tokens vigintillion BeautyChain.
According to experts Peckshield except OKex, was threatened more than ten users of smart contracts ERC20 with the identified vulnerability batchOverflow.
The vulnerable function is located in the batchTransfer. Local variable ammount is calculated as the sum of cnt and _value. The second parameter, _value, can be any 256-bit integer, for example, 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000 (number with 63 zeros). Having two _receivers passed in batchTransfer (), such a huge value could overflow amountи to equate this value to zero. Zeroing amounts the hacker can pass the test of efficiency in the lines 258-259 and do the subtraction at line 261 are out of date… the most interesting: on the balance of the two _receivers can be translated all this huge amount of money, which is without any cost, fall into the pocket of the attacker!
BeautyChain ($BEC) is Withdrawal and Trading is Suspended https://t.co/pgiZ17Yjf7 pic.twitter.com/yxebBCwGyR
— OKEx (@OKEx_) April 22, 2018
Recall that a month ago the analysts of the Dutch FINTECH company VI Company found in a smart contract cryptocurrency exchanges Coinbase vulnerability, which gave users the ability to manipulate the balance, remitting to him an unlimited number of tokens, Ethereum.