• Final Week Countdown: Half of EOS Tokens Are Still NOT Registered!

    25 May 2018
  • One week before the expected freezing of ERC20-based EOS tokens, we found that 51.7% EOS tokens are still NOT registered. Compared with our last study on 05/01/2018, the EOS registration rate observes some improvement, but certainly not significant at all. Among the 48.3% registered tokens, 10% is already reserved for block.one at the very beginning, leaving externally-circulating tokens with 38.3% registered! This is a very BAD sign for the entire EOS community.

    Read more
  • New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11397, CVE-2018-11398)

    23 May 2018
  • Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow[1], proxyOverflow[2], transferFlaw[3], ownerAnyone[4], multiOverflow[5]), burnOverflow[6]), ceoAnyone[7]). Some of them could be used by attackers to generate tokens out of nowhere or steal tokens from legitimate holders, while others can be used to take over the ownership from legitimate contract owner (or administrator).

    Today, our system reports a new vulnerability called allowAnyone that affects a number of publicly tradable tokens (including EDU). Because of the vulnerability, attackers can steal valuable tokens (managed by affected, vulnerable smart contracts) from legitimate holders. More specifically, our investigation shows that in those vulnerable smart contracts, the ERC20 standard API, transferFrom(), has an issue when checking the allowed[ ][ ] storage, which typically represents the amount of tokens that _from allows msg.sender to use. As a result, anyone can transfer tokens on behalf of another one who has non-zero balance.


    Figure 1: An allowAnyone-affected Smart Contract


    Read more
  • New ceoAnyone Bug Identified in Multiple Crypto Game Smart Contracts (CVE-2018-11329)

    21 May 2018
  • Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow[1], proxyOverflow[2], transferFlaw[3], ownerAnyone[4], multiOverflow[5], burnOverflow[6]). These vulnerabilities typically affect various tokens that may be publicly traded in exchanges. Today, we would like to report a new vulnerability named ceoAnyone, which affects, instead of tradable tokens in exchanges, but Crypto-Games.

    Starting from the end of 2017, blockchain-based crypto-games have become popular especially with the initial success of CryptoKitties. Among crypto-games, cypto idle game is an interesting category that enables players to make money by idling for hours, then followed by a profit-making transaction (e.g., selling a Lab Rat on Ether Goo). Many of the cypto idle game owners make profit from the transaction fee. However, what if the owner address could be manipulated or completely hijacked by attackers?

    Read more
  • New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11239)

    18 May 2018
  • Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow[1], proxyOverflow[2], transferFlaw[3], ownerAnyone[4], multiOverflow[5]). Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from legitimate holders.

    Today, we would like to report another vulnerability called burnOverflow that affects a few ERC20-related tokens. In particular, one such token, i.e., Hexagon Token (HXG), has already been attacked in the wild. Specifically, on 5/18/2018, 12:55:06 p.m. UTC, PeckShield detected such attacking transaction (as shown in Figure 1) where someone calls transfer() with a huge amount of HXG token — 0xffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,fffe to another address without actually spending any HXG token.


    Figure 1: An Abnormal HXG Token Transfer (with Huge Amount)


    Read more
  • New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706)

    10 May 2018
  • Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow, proxyOverflow, transferFlaw, ownerAnyone). Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from legitimate holders. Today, we would like to report another vulnerability named multiOverflow that afflicts dozens of ERC20-based smart contracts. Our investigation shows that multiOverflow is another integer overflow bug which is similar to batchOverflow but with its own characteristics.

    Read more
  • New ownerAnyone Bug Allows For Anyone to ''Own'' Certain ERC20-Based Smart Contracts (CVE-2018-10705)

    03 May 2018
  • This morning, our vulnerability-scanning system at PeckShield identified a new vulnerability named ownerAnyone in certain ERC20-based smart contracts such as AURA, which is deployed by a decentralized banking and finance platform – AURORA. This bug, if successfully exploited, might introduce the danger of serious financial accident. Fortunately, the attackers would not be financially benefited from exploiting the vulnerability. Instead, the ownerAnyone bug can be used to trigger Denial-of-Service (DoS) attack on the affected smart contracts.

    Read more
  • No improvement: EOS Token Registration Continues to be Low (ONLY 28.57% Tokens Registered)!

    02 May 2018
  • The ERC20-based EOS tokens are expected to become frozen on the Ethereum blockchain on June 2, 2018 22:59:59 UTC (shortly before the scheduled EOS mainnet launch). Evidently, holding a certain amount of EOS tokens at this stage is not equivalent yet to having the corresponding share of native EOS tokens. Instead, current holders of ERC20-based EOS tokens need to register their tokens through the EOSCrowdsale contract. Only after the registration, current token holders will be entitled later on the EOS mainnet with voting privilege for their favorite block producers or super-nodes, which currently undergo intensive competition and heated discussions.

    In our last month study [1], we found as of 04/01/2018, among all issued tokens, EOS token registration rate is as low as 23.55%. One month later, we revisited and found as of 05/01/2018, the EOS token registration rate remains as low as 28.57%, with no improvement at all. Among the 28.57% registration, 10% is already reserved for block.one at the very beginning, leaving externally-circulating tokens with 18.56% registered! This is worrisome specially compared to recently leaped EOS market cap.

    Read more
  • Your Tokens Are Mine: A Suspicious Scam Token in A Top Exchange

    28 Apr 2018
  • Our automated scanning system at PeckShield discovered a new vulnerability named transferFlaw (CVE-2018–10468). This particular vulnerability affects a publicly traded ERC20 token listed in a top exchange. Different from batchOverflow [1] and proxyOverflow [2] we identified before, this vulnerability does not lead to generating countless tokens. Instead, this one, when exploited, can be used by attackers to steal others’ tokens.

    Our in-depth code analysis further indicates that it is probably a scam token. We have promptly notified affected exchanges to delist the related token. Note that the token has been publicly tradable for about 10 months even though at a relatively low trade volume, we believe it poses a realistic threat to legitimate users and cryptocurrency market as a whole.

    Read more
  • MyEtherWallet Domain-Hijacking Financially Victimized 198 Users, Causing $320K Loss

    26 Apr 2018
  • On April 24th, MyEtherWallet (or MEW) users in certain areas suffered from domain hijacking and, when visiting official MyEtherWallet.com domain, may be redirected to phishing sites (physically located in Russia). As of this writing, there are 198 victims falling prey with $320K US dollars loss.

    Details

    Around 12:00 PM UTC on April 24th, the DNS entries of certain Amazon servers were compromised [2], and a portion of web-browsing traffic (i.e., HTTPS-based web requests) to MEW were redirected to a fake phishing website. The fake website was camouflaged to have the same appearance with MEW. Note the phishing website used a self-signed TLS certificate, which is considered insecure by commodity browsers with warning pop-ups. However, users may ignore the warnings and still choose to proceed and enter their key information, which will then be stolen by attackers to immediately transfer remaining ETH balances.

    Read more
  • New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10376)

    25 Apr 2018
  • On 4/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction (shown in Figure 1). In this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff (63 f’s) to herself along with a huge amount fee — 0x7000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0001 to the address issuing this transaction.


    Figure 1: A Suspicious MESH Token Transfer (with huge amount)


    Read more
  • ALERT: New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10299)

    22 Apr 2018
  • Built on our earlier efforts in analyzing EOS tokens, we have developed an automated system to scan and analyze Ethereum-based (ERC-20) token transfers. Specifically, our system will automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur.

    In particular, on 4/22/2018, 03:28:52 a.m. UTC, our system raised an alarm which is related to an unusual BEC token transaction (shown in Figure 1). In this particular transaction, someone transferred an extremely large amount of BEC token — 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000 (63 0’s – In fact, there’re actually two such large token transfers, with each transfer involving the same amount of tokens from the same BeautyChain contract but to two different addresses).


    Figure 1: A Suspicious BEC Token Transfer (with huge amount)


    Read more
  • Low EOS Token Registration Deserves Community Attention (and Actions)!

    14 Apr 2018
  • Among existing digital cryptocurrency tokens, EOS gained prominence within the crypto community and has been touted as the next-generation flagship blockchain infrastructure. Its market capitalization has recently skyrocketed and makes it 5th place with more than $6B valuation [1]. Notice that holding a certain amount of EOS tokens at this stage is not equivalent yet to having the corresponding share of native EOS tokens. In particular, before the official EOS mainnet launch in June, 2018, token holders need to register their EOS tokens through the EOSCrowdsale contract. Only after the token registration, current token holders can ‘‘own’’ their token share on the EOS mainnet right after the June launch. The ownership will further entitle token holders to vote for their favorite block producers, which currently undergo intensive competition and heated discussions.

    In this blog, we take a close look at th EOS token registration progress. Our goal here is to find out how many token holders actually have completed the registration process. More specifically, considering the total supply of 1 billion EOS tokens, what is the percentage (or registration rate) that have actually completed the above registration?

    Read more