At least three cryptocurrency exchanges have suspended ERC-20 token desposits, after a critical Ethereum smart contract bug was discovered. The first exchange that reported halting deposits was OKEx, the third largest by trading volume.
According to a statement published by the Hong-Kong based cryptocurrency exchange, attackers are able to exploit the critical bug, dubbed “BatchOverFlow” to generate an “extremely large amount of tokens,” out of nowhere, that could then be deposited to a normal address. OKEx’s statement reads:
“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug - "BatchOverFlow". By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”
A blog post on Medium published over the weekend claims to have found the bug, which reportedly affects “more than a dozen ERC20 contracts.” Per the post, the BatchOverFlow vulnerability leaves affected ERC-20 tokens vulnerable to price manipulation.
The post includes a proof-of-concept, that seemingly shows its authors created an extremely large amount of tokens out of thin air in a vulnerable ERC-20 token’s smart contract.
Since OKEx made its move, other cryptocurrency exchanges started reacting. At press time, trading service Changelly has tweeted out that “ERC20 tokens are temporarily unavailable due to an exploit check.” Poloniex, an exchange recently acquired by Goldman Sachs-backed payments company Circle for $400 million, revealed it suspended ERC-20 token deposits and withdrawals while it reviews the situation.
We've temporarily suspended ERC-20 token deposits and withdrawals while we review all smart contracts for exposure to the reported batchOverflow bug. We take any reports of vulnerabilities very seriously to ensure that customer funds remain safe. Thank you for your patience!— Poloniex Exchange (@Poloniex) April 25, 2018
At press time, it’s unclear how many cryptocurrencies or users were affected by the vulnerability. OKEx’s post notes it decided to suspend token deposits and withdrawals to “protect public interest,” and that it has contacted the teams behind affected tokens to conduct an investigation.
According to reports, one of the seemingly affected tokens is BeautyChain (BEC), as exchanges started suspending BEC trading pairs on April 22. In some cases, exchanges rolled back BEC trades, potentially meaning fraudulently created tokens were involved in these traders.