New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow, proxyOverflow, transferFlaw, ownerAnyone). Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from legitimate holders. Today, we would like to report another vulnerability named multiOverflow that afflicts dozens of ERC20-based smart contracts. Our investigation shows that multiOverflow is another integer overflow bug which is similar tobatchOverflow but with its own characteristics.

Details

Integer overflow has been one of most common root causes of vulnerabilities in smart contracts. The multiOverflow bug also falls in this category.

                                                       Figure 1: The Vulnerable Function: transferMulti()

We show in Figure 1 the vulnerable function, i.e., transferMulti(). This function takes two parameters: an address array, _to, for naming receivers and an uint256 array, _value, for holding the amount transferring to each receiver. In line 250, we notice that amount is calculated by adding the product of _value and 10 to the power of decimal (set as 8 in the contract constructor). Obviously, this could be an integer overflow case because the sanity check in line 252 can be easily bypassed. To demonstrate, we craft a proof-of-concept with following parameters:

1. _to
   • 0x93995bc9db9ae7af4f969400012c6fe94c93f761
   • 0x0c2a5f9a88bf2467f0b90e80e263e6c25daed62d
2. _value
   • 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e
   • 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e

Since there’re two receivers, the loop in line 249-251 would be iterated twice. The execution proceeds as follows:

Iteration 1

amount += _value[0]*10**uint256(decimals);
==> amount += 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e * 100,000,000 (line 250)

Iteration 2

amount += _value[1]*10**uint256(decimals);
==> amount += 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e * 100,000,000 (line 250)

Now, amount is overflowed successfully to0x10000000000000000000000000000000000000000000000000000000004319c00 which equals to 0x4319c00 in uint256 format.

As long as the attacker has enough tokens, i.e., balanceOf[msg.sender] >= 0x4319c00, each receiver will receive a tremendous number of tokens —0x800000000000000000000000000000000000000000000000000000000218ce00.

The following figure demonstrates a successful attack which proves our theory:

Affected Tokens

The multiOverflow bug is of the same nature of other integer overflow vulnerabilities (e.g.,batchOverflow and proxyOverflow) and could cause similar damages. When analyzing deployed smart contracts, we find a few are affected. A particular example token is SCA, which is deployed by SocialChain (a blockchain startup focusing on entertainment and leisure industries). SCA is currently in the pre-sale stage, which means a successful multiOverflow attack can wreak havoc and cause serious financial loss to the company.

Upon the detection, we immediately contacted SocialChain and provided them with vulnerability details and necessary technical supports. The SCA team promptly responded to our notification and took actions to fix the problem actively. As of the time publishing this blog, a new smart contract with the multiOverflow bug fixed has been deployed while all addresses holding SCA tokens have been mapped to the new contract successfully. We applaud the team’s reaction and believe this is what a high-quality development team should behave!

Conclusion

As cryptocurrency is getting acceptable to the public, a popular way for entrepreneurs to raise funds is to issue tokens. Compare to prosperity of various tokens, security in blockchain is still at a primitive stage. As indicated in recent discovery of various smart contract vulnerabilities, very few (token-issuing) teams have taken the security into serious consideration before deploying their smart contracts.

We believe security is essential in any blockchain-based smart contracts and any token-related businesses (including ICOs and live DAPPs). Ealier vulnerabilities such as batchOverflow andproxyOverflow have demonstrated how devastating they could be once exploited by attackers. Regarding the SocialChain case, it’s fortunate that we are ahead by identifying and fixing the bug before any multiOverflow attack, thus successfully preventing possible damage or financial loss. But always keep in mind, attackers are out there, lurking in the shadows and seeking for another chance. This would be an endless arms race!