Crypto Exchanges Pause Services Over Contract Bugs

As many as a dozen or more ethereum-based ERC-20 smart contracts have been found to contain bugs that let attackers create as many tokens as they want.

While the bugs - first identified on April 22 and April 24, respectively, in a pair of posts published on Medium - aren't tied to the ERC-20 standard itself, the issues prompted a number of exchanges to suspend ERC-20 tokens as they investigate.

As of press time, Poloniex has moved to reinstate services for ERC-20 tokens.

The batchOverflow post outlines how the batchTransfer function in a contract has a maximum number of tokens that can be sent in a transaction, adding that the value of the tokens being transferred must be less than the total number of tokens that were generated.

The " value" parameter - one of the two that determine the total number of tokens - can be manipulated, which would then change another variable, resulting in an attacker being able to create as many tokens as they'd like.

Further, the attacker can bypass the barriers in the contract which would normally ensure that a reasonable number of tokens are being transferred.

While initial reports indicated all ERC-20 tokens may be impacted, the "BatchTransfer" function is not part of the token standard.

In a sign of the seriousness of that bug, OKEx said on April 24 that it was rolling back trades on the BeautyChain Token.

Certain variables can be manipulated to spontaneously generate large amounts of tokens.

One Twitter user noted that an attacker created $5 octodecillion in SmartMesh tokens.