Crypto exchange Poloniex has suspended all ERC-20 (Ethereum-based) token deposits and withdrawals, and HitBTC has initiated an internal inspection that takes deposits and transfers offline, following OKEX’s decision to halt ERC20 deposits earlier today after the discovery of a potential new smart contract bug called batchOverFlow.
We've temporarily suspended ERC-20 token deposits and withdrawals while we review all smart contracts for exposure to the reported batchOverflow bug. We take any reports of vulnerabilities very seriously to ensure that customer funds remain safe. Thank you for your patience!— Poloniex Exchange (@Poloniex) April 25, 2018
Due to a potential issue detected in ERC20 smart contracts, we initiated an internal inspection. All deposits and transfers on ERC20 tokens will be getting online in accordance with the results of the inspection. Please refer to the System Health page for online status.— HitBTC (@hitbtc) April 25, 2018
On April 23, Medium user ranimes posted a blog entitled, “New batchOverflow Bug in Multiple ERC20 Smart Contracts,” detailing how “a previously unknown vulnerability in the contract” could allow “an attacker to possess a huge amount of tokens by exploiting these vulnerable contracts,” thus allowing for price manipulation.
The blog post notes that, due to the “code-is-law” principle that is used on the Ethereum (ETH) Blockchain, “there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.”
The author of the blog writes that teams that work with contract with this vulnerability have been contacted, but “other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow.”
The blog mentions that another problem could arise with non-centralized exchanges that use offline trading services, “as they cannot even stop attackers from laundering their tokens.”
Medium user John Huxtable commented on the blog post that he thinks “it’s worth noting that batchTransfer isn’t a standard ERC20 function so only the contract owners which chose to implement it could be effected.”
The current problem with some ERC20 tokens comes just after MyEtherWallet reported yesterday that around $150 mln ETH was stolen in an unrelated DNS hack.