Yesterday we saw multiple exchanges decide to suspend ERC20 token deposits due to the discovery of a smart contract bug called batchOverFlow. First Hong Kong-based OKEX reported that they had halted ERC20 deposits, then many other exchanges such as Poloniex and HitBTC were quick to follow suit.
We've temporarily suspended ERC-20 token deposits and withdrawals while we review all smart contracts for exposure to the reported batchOverflow bug. We take any reports of vulnerabilities very seriously to ensure that customer funds remain safe. Thank you for your patience!— Poloniex Exchange (@Poloniex) April 25, 2018
The smart contract exploit allowed potential hackers to generate billions of ERC20 tokens. We saw the exploit first used on the 22nd April when 115 octodecillion BEC (Beauty Coin) was generated in only two transactions; when you take into account that BEC was trading at $0,32 per token you can truly understand how ridiculous this would have looked. $3,7 novemdecillion that is the dollar value of the exploit on Beauty Coin, probably the only time I will ever write down that number: a 1 followed by 60 zeros. Currently, there are over nine ERC20 tokens that are all affected by this exploit.
Let us have a closer look at this so-called ERC20 vulnerability
It is important to understand there is no actual problem with Ethereum’s codebase, the “bug” is what is known as an integer overflow. A common bug that exists in many programming languages, not just Solidity(the programming language used by Ethereum smart contracts.)
The batchOverFlow exploit only comes into play when a developer incorrectly implements the batchTransfer function into their token’s smart contract. By default, it is not a standard ERC20 function, which means that not all ERC20 tokens are affected. For the ones that do make use of it, as long as it was implemented correctly then the exploit does not exist. Any smart contract developer that knows what he is doing, will be aware that the SafeMath library needs to be used to catch overflows and stop them from impacting the logic of the program. What we have here is a case of bad copy-paste contract developers and naive centralized exchanges.
The fault lies jointly with the developers and the exchanges
As it stands the listings fees on most of the major exchanges are huge, we are talking north of $10 million to list a new token. When this amount of money is changing hands, surely one would think that a third party smart contract audit by a reputable company would be a requirement. Most of the major exchanges could definitely afford to have their own in-house team for audits, so why are they taking so many risks?
What we have here is another case of centralized exchanges being blinded by their own greed. If they truly had their customers best intentions at heart, then they would have the necessary safeguards in place to not list faulty ERC20 tokens. Time and time again, we are met with major exchanges putting their profits ahead of customer safety.
Secondly, smart contract developers need to step up their game! The dangers of alienating your users by producing a faulty token are just too great. We have released a template to follow for an ERC223 token which is free of problems and provided an easy way for you to check that your new token is truly ERC223.
So to conclude? Don't worry Ethereum has not been hacked you can still buy ERC20 tokens, use a decentralized exchange and make sure you tell your smart contract developers about using ERC223!