Digital asset exchange OKEX announced today that it suspended deposits of all ERC-20 tokens “due to the discovery of a new smart contract bug – BatchOverFlow.” The bug allows hackers to exploit certain ERC20 smart contracts by spinning up vast amounts of tokens out of thin air.
Multiple exchanges, including HitBTC, Poloniex, Changelly and QUOINE, also temporarily suspended trading.
Poloniex re-enabled deposits and withdrawals for all ERC20 tokens.
HitBTC is tracking every coin’s status on their System Health page.
OKEX reports, “To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack.” The exchange notes that abnormal trading activity first began with BeautyChain (BEC) at around 13:00 on April 22 (Hong Kong Time).
SmartMesh (SMT), an ERC20 token, has responded with an update:
A whopping 65,133,050,195,990,400,000,000,000,000,000,000,000,000,000,000.891004451135422463 counterfeit tokens were created due to the smart contract hack.
The major exchanges where SMT is listed, such as Huobi, Gate, OKEX, CEX, suspended SMT trades and transfers, “and the loopholes have been repaired.” The SmartMesh Foundation will destroy tokens to stop price manipulation and keep the total supply of SMT at the value of 3,141,592,653.
The BatchOverFlow bug was detailed on April 23rd by user ranimes in a Medium blog, “New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10299).”
Addressing the ERC20 fear, uncertainty and doubt (FUD), Dan Emmons, a certified Ethereum and full stack developer who posted on Medium, claims the problem can be solved. “It’s essentially the same type of overflow that can occur in any type of arithmetic, since multiplication is just repetitive addition. The problem can be avoided: using SafeMath for uint256.”
In response to inquiry: the Enigma ERC20 token is NOT affected by any smart contract vulnerabilities that were disclosed. All is well 🙂
— Enigma – We ❤️ Privacy (@EnigmaMPC) April 25, 2018
Enigma, an ERC20 project incubated at MIT Media Lab, updated their community with a tweet that they were not affected by the smart contract bug.
Below is a partial list of coins that were affected by the BatchOverFlow bug.