Editor's Note: This article comes fromBlock Beats BlockBeatsEditor's Note: This article comes from
Block Beats BlockBeats
, Author: 0x2, reproduced with authorization.
Another security breach, again related to exchanges.
This smart contract vulnerability called tradeTrap has affected more than 700 ERC-20 Tokens, including dozens of Tokens such as AI, SUB, NTO, TGT, FC, TBT, etc. that have been traded on exchanges, involving Binance , Huobi, OKEx, HitBTC, ZB, EtherDelta, IDEX and other 26 exchanges.
This vulnerability is the security vulnerability discovered this year that affects the largest number of users, involves the most currencies, and involves the most exchanges. It is reported that the vulnerability may be intentionally or unintentionally reserved in the smart contract by the developer. If the intention is good, it will not cause any impact, but If abused by hackers, security incidents such as illegal arbitrage and price manipulation can easily be realized.
secondary title
The details of the most influential smart contract vulnerability in history are exposed
Block Beats learned from the PeckShield team that the tradeTrap vulnerability includes multiple known security issues:
Hackers can use the mintToken() function to increase the Token balance at will
Hackers can use the three functions setPrices() buy() sell() to manipulate Token prices and conduct unfair arbitrage
BuyTrap and SellTrap allow buyers and sellers to fail to receive Token after successful payment or to receive income after selling.
In the smart contract with the tradeTrap vulnerability, PeckShield found a function called mintToken(), which can be used by hackers to arbitrarily issue token balances to any Ethereum address.
Generally speaking, this function can only be used under the control of the contract owner, and is used for the additional issuance of contract tokens. This function is mainly used in the Token pre-sale stage. The project party can use this function to issue corresponding Tokens to private investors. After the pre-sale is over, it should stop using this function. But in fact, this function can still be used at will after the pre-sale ends.
If the project party does not expose the additional issuance plan and abuses this function, it can issue additional project tokens to any Ethereum address. The number of Tokens issued out of thin air will disrupt the market transactions of the Token and bring losses to investors.
Take Substratum, which has this vulnerability, as an example. There is a huge gap in the total amount of Tokens in this project on various platforms, and it is suspected of malicious issuance.
There are 592 million Tokens in the SUB Token contract address queried in EtherScan, and data platforms such as Feixiaohao and Coinmarketcap show that the total number of SUB Tokens issued is 472 million. Block Rhythm BlockBeats also found that the Token issuance in Substratum's white paper has also changed several times. In the August 2017 white paper, the number of issuance was 600 million Tokens, and in the December white paper, the number of issuances was 226 million.
After communicating with the PeckShield team, it was discovered that Substratum had indeed called the mintToken() function, and made an additional issuance of 580 million Tokens, indicating that the vulnerability of this interface is indeed effective and usable. At present, the team has issued a statement on Medium stating that this function has only been used in the test network and has not been issued after the transaction.Another security concern exists with price manipulation. In the smart contract where this kind of problem occurs, there are three functions: setPrice(), buy(), and sell(). These functions can only be controlled by the smart contract owner, and can specify the purchase and sale price of Token. The public can directly use the buy() and sell() functions to buy and sell Tokens.
If you read the contract code carefully, you will find that the price of Token in this contract is controlled by the owner of the contract, but the purchase and sale prices of Token circulating in the market should actually be determined by the market.
The vulnerability allows hackers to manipulate prices for arbitrage.
In some cases, unscrupulous exchanges can take advantage of this loophole to buy Tokens at a low price, deposit them into the exchange, and then sell them at a high price in the market, forming an arbitrage by the exchange itself. This is actually against business moral behavior.
Currently, the vulnerability affects Tokens such as INT, SUB, and SWFTC, which are being traded on exchanges such as OKEx, Huobi, HitBTC, IDEX, and EtherDelta.
secondary title
The exchange has fixed the tradeTrap vulnerability, and users can trade safely
Currently Binance, Huobi, OKEx, OKCoinKR, CoinEgg, Kucoin, Allcoin, HitBTC, Bitbns, ZB, OTCBTC, CoinBene, COSS, Etherdelta, ForkDelta, IDEX, YEX, Tidex, Radar Relay, Yobit, WazirX, CoinExchange, CoinSpot, Bluetrade, CEX, LiveCoin and other 26 exchanges have all confirmed the vulnerability. Binance and other exchanges have confirmed with the SUB project that the vulnerability has no major impact, and users can trade with confidence.
But we cannot help but ask the following question:
text
Why do you always wait until the security team is there to fix vulnerabilities?
Since the security team began to expose blockchain security vulnerabilities in April, the security team was the first to report the vulnerabilities, and then the exchanges and projects involved followed up, always a step behind.
Block beats BlockBeats has questioned the parties involved countless times after the security breach occurred, especially the exchange, have we done a good job of auditing? Is the so-called listing review just a formal process?
Recently, many exchanges have even listed coins at will, without going through the process of voting for listing coins at all. OKEx listed a BEC without any real information, Huobi listed Yuhong’s pure concept community coin XMX, and Binance launched QuarkChain, which is suspected of misleading consumers. What investors saw was the media’s overwhelming publicity and Potential investment opportunities, but what BlockBeats sees are related interests and insider trading. This kind of "connection" behavior is not only unsafe, but also lays the groundwork for blockchain security incidents ".Taking the set/buy/sellPrice loophole mentioned above as an example, the exchange has every opportunity to use this contract loophole to buy tokens at a low price, and then sell them when the market is high to achieve arbitrage, or use low-cost tokens to manipulate Currency price, in order to obtain profit. However, in order to avoid this kind of thing from being exposed, the deposit address of the exchange will be changed regularly, causing the Token to lose track after it flows to the exchange.
For investigators,
The exchange is currently the biggest black hole in the entire blockchain ecosystem. All decentralized and transparent means will become untraceable after being passed through the centralized exchange, making the blockchain itself meaningless.
The exchange’s current approach to dealing with security issues is to deal with one when it encounters one. It will not take any preventive measures for security issues that may arise in the future, and will not notify users in time to stop losses when problems occur. Token, nor any effective remedy. For example, with the recent EDU contract loophole, Huobi.com’s approach is only to re-list the currency transaction after fixing the loophole at the request of the project party. The damaged investors can only watch their asset balance drop.
