ERC20 deposits blocked on OKEx over critical smart contract bug

Hong Kong-based cryptocurrency exchange OKEx has put the brakes on all ECR20 deposits following the possible discovery of a bug in at least 12 smart contracts that are built to the ECR20 standard. The news came out Tuesday, forcing the exchange into action to prevent attackers from exploiting the bug.

The smart contract bug, called “BatchOverFlow,” allows an attacker to create tokens from thin air and then deposit them into a verified Ethereum wallet. In a statement, OKEx said attackers who exploit the bug “can generate an extremely large amount of tokens, and deposit them into a normal address,” which “makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”

“To protect public interest, we have decided to suspend the deposits of all ERC-20 tokens until the bug is fixed. Also, we have contacted the affected token teams to conduct investigation and take necessary measures to prevent the attack,” according to the exchange.

Following OKEx’s suspension, another cryptocurrency exchange followed suit. Changelly, which operates as a broker between exchanges and users, announced via Twitter that it would be suspending deposits following “an exploit check.” Changelly promised to bring the tokens back as soon as they’re certain “there is no vulnerability in deposits received.”

Dear Customers, ERC20 tokens are temporarily unavailable due to an exploit check. We will bring them back, once we are sure there is no vulnerability in deposits received. Follow the updates! https://t.co/qYutri4X3X

— Changelly.com (@Changelly_team) April 25, 2018

The bug was first identified over the weekend and published in a post on Medium. The author of the post, “ranimes,” claims that it could affect over 20 ERC20 smart contracts. The post includes several proofs-of-concept, showing the validity of the bug.

How much damage has been done and what tokens were affected isn’t known. However, BeautyChain, a beauty-themed ecosystem, was already exploited. Once the exploit of its coin, BEC, was identified, exchanges began suspending BEC trading, and some rolled back BEC trades.  OKEx rolled back BEC/BTC, BEC/ETH and BEC/USDT to 1:18 PM April 22, Hong Kong time.