At around 2 p.m. this afternoon, various media in the currency circle suddenly broke the news that the digital currency issued by Meitu Technology, the Token smart contract of the United States Chain (BEC), has a major loophole, and attackers can generate unlimited tokens.
[Scallion Exclusive: A major loophole in the BEC contract allows attackers to generate unlimited tokens] OKEx issued the latest announcement today, suspending BEC trading and withdrawals. According to the Xiaocong APP, this is because there is a major loophole in the BEC Meimi contract, and attackers can generate unlimited tokens through the batch transfer method of the token contract. Scallion Note: US Chain launched BEC trading on OKex in February this year. Beauty Chain and Meitu have cooperated to help BeautyPlus, a subsidiary of Meitu, to increase content value and market share. At the same time, Beautyplus, as the seed application of Beauty Chain, assists the cold start of Beauty Chain. The token issued by Meilian is called Meimi BEC.
US Chain Official Statement
It was rumored that in the afternoon, the American Chain team found abnormal transactions, so they immediately notified the exchanges to stop BEC's trading and withdrawal functions. It just so happened that my colleagues in the lab were taking a break from their busy schedules and analyzed the contract code in question together.
This vulnerability is relatively obvious and belongs to the common integer overflow (overflow) problem .
Let's briefly analyze the contract function in question:
function batchTransfer(address[] _receivers, uint256 _value) public whenNotPaused returns (bool) {
uint cnt = _receivers.length;
uint256 amount = uint256(cnt) * _value;
require(cnt > 0 && cnt <= 20);
require(_value > 0 && balances[msg.sender] >= amount);
balances[msg.sender] = balances[msg.sender].sub(amount);
for (uint i = 0; i < cnt; i++) {
balances[_receivers[i]] = balances[_receivers[i]].add(_value);
Transfer(msg.sender, _receivers[i], _value);
}
return true;
}The function batchTransfer(..)of function is batch transfer, which is a function extended by the American Chain team on the basis of the ERC20 standard contract. The caller can pass in several addresses and transfer amounts, and after some mandatory checks on the transaction, balancesincrease and decrease operations in turn to realize the transfer of Tokens:
Obviously, when the incoming value is _valuetoo large, uint256 amount = uint256(cnt) * _valueoverflow will occur. As a result , the amountvariable cannot be correctly equal to cnttimes, _valueand becomes abnormally small, so that requirethe balance verification of the transfer initiator can pass normally.
Let's look at the attack transaction details again.
Function: batchTransfer(address[] _receivers, uint256 _value)
MethodID: 0x83f12fec
[0]: 0000000000000000000000000000000000000000000000000000000000000040
[1]: 8000000000000000000000000000000000000000000000000000000000000000
[2]: 0000000000000000000000000000000000000000000000000000000000000002
[3]: 000000000000000000000000b4d30cac5124b46c2df0cf3e3e1be05f42119033
[4]: 0000000000000000000000000e823ffe018727585eaf5bc769fa80472f76c3d7The attacker passes in the 8000000000000000000000000000000000000000000000000000000000000000action _value, and _receiversthe size of the array is 2, after multiplication, it can just exceed uint256the upper limit of the integer size that can be represented, causing an overflow problem, and finally "additional issuance" of the original fixed total amount of Tokens, and successfully let the two target accounts Token balance increased sharply. For this kind of integer overflow vulnerability, the most
recommended method is to use a SafeMathmathematical calculation library to avoid it. But unfortunately, the rest of the functions of the contract in this problem are used normally SafeMathto avoid the overflow and underflow problems,
but in the most critical place, the anti-overflow check is missed, as the so-called "hundreds of secrets and one sparse".
By the way, the problem code above can be prevented from overflowing with this simple modification.
// uint256 amount = uint256(cnt) * _value; // 问题代码
uint256 amount = _value.mul(uint256(cnt)); // 使用 SafeMath 库Transaction Record
Position exception statistics
The huge amount of Tokens shown in the figure, we can easily calculate, there are about 10 to the 58th power of BEC. Before the incident, its market price was about 0.3 US dollars. If these coins flow into exchanges and sell, the consequences are unimaginable. The currency issuer, BEC, will run into big trouble.
Coin price crash
Domestic blockchain teams have sprung up, but the code may not have been professionally audited before it goes online, nor has it set bounties to reward bugs.
On the issue of security, most foreign blockchain projects are more mature, and smart contracts will seek the help of professional security audit teams before they are deployed online.
Some large exchanges and wallets also require third-party audit reports. In December last year, a potential contract loophole in the American star exchange Coinbase was discovered and reported by a professional security company in the Netherlands, thus avoiding huge losses. Some friends may not understand why the code of the smart contract is so short and there are so many problems?
In fact, anyone who has been engaged in smart contract development for more than 2 months will be deeply impressed by the various pits of EVM and solidity.
BEC incidents will not be isolated cases, and safety issues are easily overlooked. The lab colleagues also quickly scanned all the contracts on the entire Ethereum and
found that there are 12 tokens with almost the same problem, so they sent an email reminder to the relevant development team as soon as possible.
At the same time, we also hope that more and more teams can choose to find professional teams to do audit work before going online. In addition to the loopholes and defects in the code, please also pay more attention to the rules loopholes or backdoors in the contract.
Compared with integer overflow vulnerabilities, this type of advanced rule vulnerability is very, very, very difficult to find.
Here, we once again remind all blockchain teams and smart contract development enthusiasts to be cautious when releasing contracts.
SECBIT实验室Founded by a group of geeks who love blockchain technology, it focuses on the research of trusted smart contracts and security consensus protocols. The laboratory members are located in many countries, and their professional fields involve blockchain underlying architecture, smart contract language, formal verification, cryptography and security protocols, compilation and analysis technology, game theory and cryptoeconomics and many other fields. SECBIT Lab is currently focusing on the research on the security issues of blockchain smart contracts, helping blockchain teams to improve the reliability and security of smart contracts, and also conducting theoretical exploration and technical research and development for building a smart contract security framework.