Crypto exchange Poloniex has suspended all ERC-20 (Ethereum-based) token deposits and withdrawals, and HitBTC has initiated an internal inspection that takes deposits and transfers offline, following OKEX’s decision to halt ERC20 deposits earlier today after the discovery of a potential new smart contract bug called batchOverFlow.
On April 23, Medium user ranimes posted a blog entitled, “New batchOverflow Bug in Multiple ERC20 Smart Contracts,” detailing how “a previously unknown vulnerability in the contract” could allow “an attacker to possess a huge amount of tokens by exploiting these vulnerable contracts,” thus allowing for price manipulation.
The blog post notes that, due to the “code-is-law” principle that is used on the Ethereum (ETH) Blockchain, “there is no traditional well-known security response mechanism in place to remedy these vulnerable contracts.”
The author of the blog writes that teams that work with contract with this vulnerability have been contacted, but “other exchanges also need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow.”
The blog mentions that another problem could arise with non-centralized exchanges that use offline trading services, “as they cannot even stop attackers from laundering their tokens.”
Medium user John Huxtable commented on the blog post that he thinks “it’s worth noting that batchTransfer isn’t a standard ERC20 function so only the contract owners which chose to implement it could be effected.”
The current problem with some ERC20 tokens comes just after MyEtherWallet reported yesterday that around $150 mln ETH was stolen in an unrelated DNS hack.