Today, April 25th, the third largest cryptocurrency exchange by trading volume, OKEx, announced that all ERC-20 token deposits have been suspended.
The move comes after developers discovered an Ethereum Smart Contract bug called BatchOverflow which permits those who exploit the bug to issue an almost unlimited number of new tokens. In turn, the newly minted tokens can then be deposited into other asset wallets. ‘This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers,’ the OKEx team wrote.
Ethereum Smart Contract Bug: BatchOverflow
The issue was first reported in a Medium post published by OKEx three days ago. The post explained that the bug is a classic integer overflow issue, which occurs when any operation uses a numerical value outside the range that can be represented with the allocated number of bits. In detailing the problem, OKEx’s post also included a proof-of-concept which showed how an unlimited number of tokens can be generated from any vulnerable ERC-20 contract.
The post reads: “To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack.”
It’s still unclear how many ERC-20 tokens are vulnerable to this bug, or which ones specifically are affected. As of today, BeautyChain (BEC) is the only confirmed token to be attacked.
The big fear is that this particular Ethereum Smart Contract bug will permit price manipulations of the vulnerable ERC-20 tokens. Unfortunately, a similar incident occurred in March on the cryptocurrency exchange Binance when attackers manipulated Viacoin (VIA), exchanging users altcoins for VIA and causing the coin’s price to climb.
OKEx and Changelly
Besides OKEx, another cryptocurrency trading platform, Changelly, has also suspended ERC-20 token trading. Announcing the suspension through its Twitter, the company wrote:
“Dear Customers, ERC20 tokens are temporarily unavailable due to an exploit check. We will bring them back, once we are sure there is no vulnerability in deposits received. Follow the updates!”
This news comes just a day after a DNS attack was executed against popular online cryptocurrency storage provider MyEtherWallet (MEW). The security breach occurred at around 12:00 p.m. UTC yesterday and led to the draining of many MEW users funds.
According to an official statement from the MEW team on Reddit, the breach occurred through the hijacking of Domain Name System servers. This caused MEW users to be redirected to phishing sites where control of their funds were unknowingly handed over to the perpetrators of the attack.