One line of code evaporates 6.4 billion, and smart contracts are not safe?

At noon on April 22, a hacker exploited the BatchOverFlow vulnerability in the Ethereum ERC-20 smart contract to attack the BEC (US Chain's token "Meimi") smart contract, and successfully transferred a large amount of BEC tokens to two addresses. , which led to the sell-off of a large amount of BEC in the market. This matter made the value of BEC on the day almost to zero. 6.4 billion yuan evaporated instantly.

On April 25, just three days later, another smart contract, SmartMesh (SMT), had a vulnerability. The exchange said that due to abnormal SMT transactions, various trading platforms suspended SMT deposits, withdrawals and transactions.

In the real world, property theft can still be recovered by filing a case for investigation. But in the world of the Internet, although digital currency has unlimited "money", once it is hacked, it will be lost.

A smart contract refers to an agreement defined in digital form on which contract participants can execute these commitments. Simply put, it is a contract that can be automatically executed when certain conditions are met by using the technology of blockchain. At present, the most commonly used smart contract platform for blockchain is Ethereum, and anyone can distribute tokens according to the ERC20 standard of Ethereum.

US Chain BEC was launched on OKEx, a virtual digital currency trading platform, in February 2018. It was once considered by the industry to be a digital currency issued by Meitu, but Meitu denied this and only admitted that there was a cooperation. But because of this origin, the price once soared 40 times after the launch. On April 22, when the abnormality occurred, the highest price of BEC was 2.27 yuan and the lowest price was 0.137 yuan, and the highest price fluctuation rate was 94%.

Mr. Jiang from Taizhou, Zhejiang has been in the currency market for 5 years and has been exposed to more than ten types of digital currencies. The BEC contract vulnerability was attacked this time, and it was the first time Mr. Jiang encountered such a thing. At noon on April 22, Mr. Jiang bought 2,000 BEC coins (worth about 4,000 RMB) at a price of US$0.32 per coin. Unexpectedly, the price of the coin fell nearly 0 yuan after less than an hour.

According to the reporter of "IT Times", this is the first time that a smart contract loophole has occurred in a token based on the ERC20 standard, and the reason for such a huge loss is that the programmer himself is not rigorous, and a very simple line of code is wrong when calling a function. .

Chen Honggang, the marketing director of Zhongxiangbit, who is engaged in blockchain security protection, told reporters that in smart contracts, designers generally insert a transfer function into the code. This function should ensure that the transferred account is less than or equal to the original account in the wallet. However, the loophole in BEC this time makes the function calculation result of 0 when the transferor designs a very large transfer amount, which allows the hacker to transfer any huge amount of digital currency into his wallet.

It is reported that in fact, many virtual currency transactions have encountered security problems in the process, and most of the solutions afterwards are rollbacks, that is, the transaction data is backtracked to the state before the attack. Such remedial measures can only make users have the same amount of new coins in their accounts, but because of the attack, the price of BEC coins plummeted. In fact, users did not really recover their losses.

Shortly after this happened, the PeckShield team used an automated system to swipe through the many smart contracts on Ethereum and analyze them. It was found that there are more than 12 ERC-20 smart contracts with BatchOverFlow security risks.

The reason why so many smart contracts have similar vulnerabilities is the chaotic status quo of digital token issuance.

An entrepreneur engaged in blockchain technology told the "IT Times" reporter that a programmer only needs to spend 5 minutes, copy some smart contract code from the Internet, and make a few modifications to issue a token. If you write another white paper and find a few well-known consultant platforms, you can issue tens of millions or even hundreds of millions of projects on the digital currency exchange.

So here comes the question~:
1. Have you ever participated in the buying and selling of digital tokens? How do you see the future of digital tokens?

2. If such a loophole occurs in an ERC-20 smart contract, what impact will it have on other digital tokens?

3. Is the low technical cost of issuing digital tokens the root cause of the chaos of digital currency?

4. In addition to digital currency, will the emergence of smart contract loopholes affect the development of other blockchain projects? Why?