15 October 2018, 19:10
2 min reading
The past couple of days has been stressful for the owners of some of the ethereum-based ERC-20 tokens. Their smart contracts turned out to have a bug that allowed attackers to create an unlimited amount of tokens. Having learned about this vulnerability, OKEx, Poloniex, Changelly, Quoine, HitBTC and other exchanges have suspended ERC-20 token deposits
The past couple of days has been stressful for the owners of some of the ethereum-based ERC-20 tokens. Their smart contracts turned out to have a bug that allowed attackers to create an unlimited amount of tokens.
Having learned about this vulnerability, OKEx, Poloniex, Changelly, Quoine, HitBTC and other exchanges have suspended ERC-20 token deposits and withdrawals while reviewing all smart contracts for exposure to the reported batchOverflow bug.
The good news is that CRPT tokens are devoid of such problems. Let’s see why:
The vulnerability of the affected smart contracts’ transfer function lies in the “_value” parameter which determines the total number of tokens generated. If the smart contract of the token is not secure, this parameter can be manipulated, which in turn affects the number of tokens being transferred. As a result, the attacker could potentially create an almost infinite amount of tokens.
To understand the issue, take a look at this (admittedly exaggerated) example:
Let’s assume that a memory register’s capacity is 999 999. If we take 500 000 and multiply that by 2, we get 1 000 000?—?but the memory won’t register it. Instead, the result of (500 000 x 2) will be displayed as 0. This is a classic integer overflow issue, also known as batchOverflow in case of the ERC-20 tokens in question.
Crypterium doesn’t have such a vulnerability. We have no addition or multiplication functions within our smart contract. We have a subtraction function instead: whenever a transaction is made, some CRPT tokens get burned.
Our team responsible for the CRPT smart contract has 5 years of experience in blockchain solutions. We have also secured a technical audit from Ambisafe, a respected U.S. Blockchain solutions company that specializes in the development and promotion of smart contracts.
“Contract functions are well protected from unauthorized access, and don’t perform any external calls, effectively eliminating broad variety of usual problems. Calculations are protected against overflows while at the same time not wasting excess gas. (…) Contract can be safely used as is,”?—?Ambisafe’s conclusion on Crypterium smart contract says.
Blockchain security startup PeckShield was the one to come across a critical vulnerability in multiple Ethereum smart contracts. It has also developed a system that monitors ERC-20 token transactions.
As this entry in PeckShield’s blog suggests, the system “will automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur”. So far, more than a dozen ERC-20 smart contracts have shown vulnerability to batchOverflow. CRPT is not on the list, and we’re 100% sure we won’t be sent such an alert.