On 4/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction (shown in Figure 1). In this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff (63 f’s) to herself along with a huge amount fee — 0x7000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0001 to the address issuing this transaction.


Figure 1: A Suspicious MESH Token Transfer (with huge amount)


There’s another case happened to the SMT token at 07:16:19 p.m. UTC with the same attack pattern.


Figure 2: A Suspicious SMT Token Transfer (with huge amount)


As we look into the corresponding smart contract, we find out that the proxyTransfer() function has a classic integer overflow problem.


Figure 3: A proxyOverflow-affected Smart Contract


As shown in Figure 3, both _fee and _value are input parameters which could be controlled by the attacher. If _fee + _value happens to be 0 (the overflow case), the sanity checks in line 206 could be passed. It means the attacker could transfer huge amount of tokens to an address (line 214) with zero balance. Also, a huge amount fee would be transferred to the msg.sender in line 217.

From our system-wide scanning, we have located quite a few ERC20 tokens affected, including

  Token Related Contract
1 MESH 0x3ac6cb00f5a44712022a51fbace4c7497f56ee31
    0x01f2acf2914860331c1cb1a9acecda7475e06af8
2 UGToken 0x43ee79e379e7b78d871100ed696e803e7893b644
3 SMT 0x55F93985431Fc9304077687a35A1BA103dC1e081
4 SMART 0x60be37dacb94748a12208a7ff298f6112365e31f
5 MTC 0x8febf7551eea6ce499f96537ae0e2075c5a7301a
6 FirstCoin 0x9e88770da20ebea0df87ad874c2f5cf8ab92f605
7 GG Token 0xf20b76ed9d5467fdcdc1444455e303257d2827c7
8 CNY Token 0x041b3eb05560ba2670def3cc5eec2aeef8e5d14b
9 CNYTokenPlus 0xfbb7b2295ab9f987a9f7bd5ba6c9de8ee762deb8

With the touted “code-is-law” principle in Ethereum blockchain, there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts! A proper way to recover from these vulnerabilities and devastating effects requires coordination and support from all eco-system members, especially digital asset exchanges.
In the meantime, we cannot over-emphasize the importance of performing a thorough and comprehensive audit of smart contracts before deployment.

Fortunately, we’re happy to know that effectively at 04/25/2018 15:30 p.m. GMT+8, OKEx has ERC-20 tokens deposit suspended. (Here is the announcement: https://support.okex.com/hc/en-us/articles/360003019292 ). Similarly, Huobi Pro also suspends deposits and withdrawals of all coins ( http://space.bitleek.com/topic/2132/huobi-pro-suspends-deposits-and-withdrawals-of-all-coins). Meanwhile, we want to point out that certain affected tokens are still tradable on some exchanges (e.g., gate.io, HitBTC, YoBit, and CoinExchange). Note that the presence of non-centralized exchanges with offline trading services could pose additional challenges as they might not be able to stop attackers from laundering their tokens.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.