Publicly tradable ERC-20 tokens have considerable high market value. Various exchanges, either centralized (e.g., Binance, Huobi.pro, and OKex) or decentralized (e.g., IDEX, EtherDelta, ForkDelta), provide the marketplace by listing them, especially with high-liquidity ones, for public trading. Evidently, the transparency and security of their corresponding smart contracts is paramount. In practice, there is a de-facto requirement for these contract to be publicly verifiable on etherscan.io. Moreover, reflecting the fundamental “code-is-law” spirit and trust of blockchain technology, these contracts once deployed should not be further subject to centralized control or manipulation.

In this blog, we would like to report a security issue called tradeTrap (mixed with vulnerable implementation) that utterly violates the above requirement. Unfortunately, tradeTrap plagues hundreds of ERC20 tokens and we have so far confirmed at least ten of them are publicly tradable on current exchanges. Those affected tokens could be of high-profit arbitrage opportunities to bad guys.

Due to the range and severity of affected exchanges and tokens, we choose not to disclose the information of affected tokens for now. Instead, we list the affected exchanges as follows:

Name Website
Binance www.binance.com
Huobi.pro www.huobi.pro
OKex www.okex.com
OKCoinKR www.okcoinkr.com
CoinEgg www.coinegg.com
Kucoin www.kucoin.com
Allcoin www.allcoin.com
HitBTC hitbtc.com
Bitbns bitbns.com
ZB www.zb.com
OTCBTC otcbtc.com
coinbene www.coinbene.com
COSS coss.io
EtherDelta etherdelta.com
ForkDelta forkdelta.github.io
IDEX idex.market
YEX yex.com
Tidex tidex.com
Radar Relay radarrelay.com
Yobit yobit.net
wazirx wazirx.com
CoinExchange coinexchange.io
coinspot coinspot.com.au
bluetrade bleutrade.com
CEX cex.io
Livecoin www.livecoin.net

We strongly encourage the above exchanges to contact us immediately. We are willing to provide detailed information and necessary technical support to proactively mitigate and recover from this security issue. We are reachable at telegram (by browsing https://t.me/peckshield) and WeChat (by scanning the following QR-code):




About US

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires (including the need for smart contract auditing), please contact us at telegram, twitter, or email.