SlowMist: BEC Smart Contract Unlimited Token Transfer Vulnerability Analysis and Warning (Released in 2018)

According to the announcement by OKEx, abnormal transactions were reported to have occurred in BEC around 13:00 on April 22.

The security team at SlowMist conducted an immediate analysis and discovered a vulnerability in the batchTransfer function of the BEC smart contract that led to abnormal transactions around 1 PM on April 22, according to an announcement from OKEx. Attackers could pass in a large value that caused the cnt * value to exceed the maximum value of unit256, resulting in an overflow that set the amount to 0.

This allows the attacker’s account to avoid transferring any BEC, while still enabling the receiver to obtain a large amount of BEC.

The SlowMist security team suggests that smart contract developers should carefully verify whether the total amount transferred out exceeds 0 when conducting batch transfers, and execute the balances[msg.sender].sub(value) operation in the for loop, based on their vulnerability analysis.

Other issuers of smart contracts are advised to conduct self-examination promptly as this type of vulnerability is both irreversible and destructive.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

Website：
https://www.slowmist.com
Twitter：
https://twitter.com/SlowMist_Team
Github：
https://github.com/slowmist/