[ Update: (2018-06-24) With swift, coordinated response from Huobi.professional, wij appreciate the announcement  on suspending the deposits and withdrawals of affected tokens! ]
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous wise contract vulnerabilities ( batchOverflow, proxyOverflow[Two], transferFlaw[Trio], ownerAnyone[Four], multiOverflow[Five], burnOverflow, ceoAnyone, allowAnyone, allowFlaw), tradeTrap[Ten]). Some of them could be used by attackers to generate tokens out of nowhere or steal tokens from legitimate holders, while others can be used to take overheen the ownership from legitimate contract possessor (or administrator).
Ter this blog, wij disclose a fresh type of vulnerability named evilReflex. By exploiting this bug, the attacker can transfer an arbitrary amount of tokens wielded by a delicado brainy contract to any address. Specifically, whenever a brainy contract has non-zero token cómputo, those tokens could be swept out by an attacker.
EPoD: Ethereum Packet of Death (CVE-2018-12018)
On June 15th, Dr. Jiang, founder and CEO of PeckShield, announced that PeckShield had found a security breach that could lead to 60% of current Ethereum knots to crash te seconds.
PeckShield and DoraHacks, a general hacker community, will announce and display this loophole at the Blockchain Connect Conference on June 27th te San Jose ter gevelbreedte of Trio,000 blockchain industry experts.
Utter Disclosure of Highly-Manipulatable, tradeTrap-Affected ERC20 Tokens te Numerous Top Exchanges
[ Update: (2018-06-12) The BMB (BMB) contract (0x0e935e976a47342a4aee5e32ecf2e7b59195e82f) is NOT affected by tradeTrap. Wij sincerely apology for mistakenly listing it spil a inerme ERC20 token. ]
Quoted from our last blog , “publicly tradable ERC-20 tokens have considerable high market value. Various exchanges, either centralized (e.g., Binance, Huobi.voor, and OKex) or decentralized (e.g., IDEX, EtherDelta, ForkDelta), provide the marketplace by listing them, especially with high-liquidity ones, for public trading. Evidently, the transparency and security of their corresponding clever contracts is paramount. Ter practice, there is a de-facto requirement for thesis contract to be publicly verifiable on etherscan.io. Moreover, reflecting the fundamental ‘code-is-law’ spirit and trust of blockchain technology, thesis contracts merienda deployed should not be further subject to centralized control or manipulation.”
After publishing our blog , wij have bot contacted by a number of affected cryptocurrency exchanges. Spil wij believe the corresponding mitigation mechanism is now ter place, it is the time to disclose the details of tradeTrap. Spil emphasized te , merienda wise contracts of publicly tradable ERC-20 tokens are deployed, they should not be further subject to centralized control or manipulation. Unluckily, tradeTrap plagues 700+ ERC20 tokens and wij have so far confirmed at least dozens of them are publicly tradable on current exchanges, including Binance, Huobi.professional, OKex, OKCoinKR, CoinEgg, Kucoin, Allcoin, HitBTC, Bitbns, ZB, OTCBTC, CoinBene, COSS, EtherDelta, ForkDelta, IDEX, YEX, Tidex, Radar Relay, Yobit, WazirX, CoinExchange, CoinSpot, Bluetrade, CEX, and Livecoin. The total list of tradeTrap-affected ERC20 tokens is available here.
While wij intend to think thesis contracts are deployed with good will and without any hidden or unintentional purpose, the existence of very manipulatable interfaces (or knobs), however, could be exploited to either make inappropriate arbitrage or even directly control buy / sell prices of affected tokens. All thesis will eventually result ter financial loss for trading customers and essentially reflect lack of enough security of affected exchanges when listing thesis tokens for trading.
Ter the following, wij would like to disclose two types of manipulatable interfaces which could be exploited to achieve unfair arbitrage.
Highly-Manipulatable ERC20 Tokens Identified ter Numerous Top Exchanges (including Binance, Huobi, and OKex)
Publicly tradable ERC-20 tokens have considerable high market value. Various exchanges, either centralized (e.g., Binance, Huobi.voor, and OKex) or decentralized (e.g., IDEX, EtherDelta, ForkDelta), provide the marketplace by listing them, especially with high-liquidity ones, for public trading. Evidently, the transparency and security of their corresponding wise contracts is paramount. Ter practice, there is a de-facto requirement for thesis contract to be publicly verifiable on etherscan.io. Moreover, reflecting the fundamental “code-is-law” spirit and trust of blockchain technology, thesis contracts merienda deployed should not be further subject to centralized control or manipulation.
Ter this blog, wij would like to report a security kwestie called tradeTrap (mixed with inerme implementation) that utterly violates the above requirement. Unluckily, tradeTrap plagues hundreds of ERC20 tokens and wij have so far confirmed at least ten of them are publicly tradable on current exchanges. Those affected tokens could be of high-profit arbitrage opportunities to bad guys.
Inject Final 23-Hours Grace Period For EOS Registration: 194 Million Dollars of EOS Tokens Are Not Registered Or Wrongly Registered
The largest ICO ter history, i.e,. the ERC-20 EOS Token ICO, is now closed on June 1st at 22:59:59 UTC. Ter total, EOS has raised $Four billion with 331,433 shareholders. Among thesis token holders (excluding the reserved 0xb1 address), 149,533 of them had registered their EOS public keys and they will be officially included te the snapshot for EOS genesis generation. Thesis registered 149,533 token holders share 88% of the total supplied EOS tokens. On the other palm, there are 181,900 token holders (1.41% share) who have not finished the registration yet. If they do not accomplish the registration ter the 23-hours grace period, they may not literally own the tokens when the grace period is overheen. For the surplus Ten.59%, the 0xb1 address holds the reserved 10% share, and the final part 0.59% is kept ter the EOS clever contract, indicating those investors who already paid for the token sale, but have not claimed them yet.
Observe Your EOS Registration: Wrong/Inappropriate Registration Might Cost 27 Million Dollars!
Wij have bot updating EOS community about latest registration status and upcoming deadline for weeks, and made good efforts to urge the entire EOS community and related shareholders to take the necessary deeds for sleek registration. Spil of today, wij found that 29.98% EOS tokens are still NOT registered!
Today, wij found another worrisome kwestie that requires instantaneous attention from EOS community. Among all registered (70.02%) EOS tokens, 0.23% EOS tokens are not decently registered. Based on today’s EOS price (12.40 USD), thesis improperly registered tokens are omschrijving to
27 million dollars (USD) , which might be lost forever if not instantly re-registered before the EOS mainnet launch. With that, wij strongly recommend token holders who had already finished the registration to re-examine the EOS keys cautiously. Otherwise your registration might be invalidated!
Specifically, our analysis shows that there are two different ways that lead to an invalid registration:
- Using a public, known key: EOS6MRyAjQq8ud7hVNYcfnVPJqcVpscN5So8BhtHuGYqET5GDW5CV,
- Using a bad format key
Ter very first case, since the EOS key is publicly known, your registered tokens might be instantaneously stolen by others. This particular case wasgoed reported by EOSAuthority today . However, our analysis vertoning that the registration punt is much more severe than wij thought because of the 2nd case.
Analyzing and Reproducing the EOS Out-of-Bound Write Vulnerability ter nodeos
Today, Qihoo 360 posted te its blog about an out-of-bound access vulnerability ter nodeos, a part of EOSIO software package. This vulnerability can be exploited to trigger an RCE (Remote-Code-Execution) attack . Considering the severity of the vulnerability and the timing of upcoming EOS mainnet launch, researchers at PeckShield instantly looked into the nodeos codebase and successfully reproduced the bug by crafting a malicious brainy contract to crash the vanilla EOS client spil mentioned te the blog.
Let’s commence from a quick recap of the vulnerability. Wij demonstrate ter Figure 1 the related WASM contract handler. Spil highlighted ter the figure, there is an out-of-bound write te line 78 because the offset regional variable is extracted from the untrusted contract binary (line 75).
BiYong, An IM-Integrated Digital Wallet App, Poses Serious Privacy and Private Risks
[ Update: (2018-06-05) The latest version of Biyong has accordingly motionless the reported issues! Thank Biyong team for responsible and timely upgrade! ]
Digital wallets provide an essential functionality ter managing digital assets or tokens for users and are considered a key pole te the broad blockchain ecosystem. Te today’s mobile app markets, there are fairly a few wallet-oriented mobile apps (e.g., Uittocht and imToken) that provide fine convenience and service for managing digital assets. However, different from other mobile apps, digital wallets may face stricter requirements and higher standards for better privacy and security, especially with the enforcement of EU Universal Gegevens Protection Regulation (GDPR).
Recently, researchers at PeckShield have examined a number of mobile app-based digital wallets and came across a well-known blockchain-oriented IM app, i.e., BiYong, with almost Three million monthly active mobile users. This particular app aims to become “WeChat” ter the Blockchain world by building a social network that linksom Blockchain users, communities, media, assets, applications and etc. It not only offers features to seamlessly interact with Telegram, but also provides digital wallet functionality for asset transfer or payment. However, our analysis shows that BiYong fails to hold a high standard ter managing and collecting users’ private information. Specifically, this app collects user ID te Telegram (i.e., Telegram ID and name), telephone number, and even payment passcode and uploads them to BiYong servers te plaintext! Wij consider it entirely unacceptable spil it violates user privacy and disobeys the fundamental spirit behind Blockchain for the maintenance of user privacy and pseudonymity.
Final Week Countdown: Half of EOS Tokens Are Still NOT Registered!
One week before the expected freezing of ERC20-based EOS tokens, wij found that 51.7% EOS tokens are still NOT registered . Compared with our last probe on 05/01/2018, the EOS registration rate observes some improvement, but certainly not significant at all. Among the 48.3% registered tokens, 10% is already reserved for block.one at the very beginning, leaving externally-circulating tokens with 38.3% registered! This is a very BAD sign for the entire EOS community.
Fresh allowAnyone Bug Identified te Numerous ERC20 Wise Contracts (CVE-2018-11397, CVE-2018-11398)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous clever contract vulnerabilities ( batchOverflow, proxyOverflow[Two], transferFlaw[Trio], ownerAnyone[Four], multiOverflow[Five]), burnOverflow), ceoAnyone). Some of them could be used by attackers to generate tokens out of nowhere or steal tokens from legitimate holders, while others can be used to take overheen the ownership from legitimate contract proprietor (or administrator).
Today, our system reports a fresh vulnerability called allowAnyone that affects a number of publicly tradable tokens (including EDU). Because of the vulnerability, attackers can steal valuable tokens (managed by affected, pasivo clever contracts) from legitimate holders. More specifically, our investigation shows that te those inerme brainy contracts, the ERC20 standard API, transferFrom(), has an kwestie when checking the permitted[ ][ ] storage, which typically represents the amount of tokens that _from permits msg.sender to use. Spil a result, anyone can transfer tokens on behalf of another one who has non-zero movimiento.
Fresh ceoAnyone Bug Identified ter Numerous Crypto Spel Clever Contracts (CVE-2018-11329)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous clever contract vulnerabilities ( batchOverflow, proxyOverflow[Two], transferFlaw[Trio], ownerAnyone[Four], multiOverflow[Five], burnOverflow). Thesis vulnerabilities typically affect various tokens that may be publicly traded te exchanges. Today, wij would like to report a fresh vulnerability named ceoAnyone, which affects, instead of tradable tokens ter exchanges, but Crypto-Games.
Embarking from the end of 2018, blockchain-based crypto-games have become popular especially with the initial success of CryptoKitties. Among crypto-games, cypto idle spel is an interesting category that enables players to make money by idling for hours, then followed by a profit-making transaction (e.g., selling a Laboratorium Rat on Ether Goo). Many of the cypto idle spel owners make profit from the transaction toverfee. However, what if the holder address could be manipulated or fully hijacked by attackers?
Fresh burnOverflow Bug Identified te Numerous ERC20 Wise Contracts (CVE-2018-11239)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous clever contract vulnerabilities ( batchOverflow, proxyOverflow[Two], transferFlaw[Trio], ownerAnyone[Four], multiOverflow[Five]). Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from legitimate holders.
Today, wij would like to report another vulnerability called burnOverflow that affects a few ERC20-related tokens. Te particular, one such token, i.e., Hexagon Token (HXG), has already bot attacked te the wild. Specifically, on Five/Legal/2018, 12:55:06 p.m. UTC, PeckShield detected such attacking transaction (spil shown ter Figure 1) where someone calls transfer() with a phat amount of HXG token — 0xffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,fffe to another address without actually spending any HXG token.
Fresh multiOverflow Bug Identified ter Numerous ERC20 Brainy Contracts (CVE-2018-10706)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous clever contract vulnerabilities ( batchOverflow, proxyOverflow, transferFlaw, ownerAnyone). Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from legitimate holders. Today, wij would like to report another vulnerability named multiOverflow that afflicts dozens of ERC20-based clever contracts. Our investigation shows that multiOverflow is another rechtschapen overflow bug which is similar to batchOverflow but with its own characteristics.
Fresh ownerAnyone Bug Permits For Anyone to ”Own” Certain ERC20-Based Brainy Contracts (CVE-2018-10705)
This morning, our vulnerability-scanning system at PeckShield identified a fresh vulnerability named ownerAnyone ter certain ERC20-based brainy contracts such spil AURA, which is deployed by a decentralized banking and finance toneelpodium – AURORA. This bug, if successfully exploited, might introduce the danger of serious financial accident. Fortunately, the attackers would not be financially benefited from exploiting the vulnerability. Instead, the ownerAnyone bug can be used to trigger Denial-of-Service (DoS) attack on the affected clever contracts.
No improvement: EOS Token Registration Proceeds to be Low (ONLY 28.57% Tokens Registered)!
The ERC20-based EOS tokens are expected to become frozen on the Ethereum blockchain on June Two, 2018 22:59:59 UTC (shortly before the scheduled EOS mainnet launch). Evidently, holding a certain amount of EOS tokens at this stage is not omschrijving yet to having the corresponding share of native EOS tokens. Instead, current holders of ERC20-based EOS tokens need to register their tokens through the EOSCrowdsale contract. Only after the registration, current token holders will be entitled zometeen on the EOS mainnet with voting privilege for their dearest block producers or super-nodes, which presently go through intensive competition and heated discussions.
Ter our last month investigate , wij found spil of 04/01/2018, among all issued tokens, EOS token registration rate is spil low spil 23.55%. One month zometeen, wij revisited and found spil of 05/01/2018, the EOS token registration rate remains spil low spil 28.57% , with no improvement at all. Among the 28.57% registration, 10% is already reserved for block.one at the very beginning, leaving externally-circulating tokens with Legitimate.56% registered! This is worrisome specially compared to recently leaped EOS market cap.
Your Tokens Are Mine: A Suspicious Scam Token te A Top Exchange
Our automated scanning system at PeckShield discovered a fresh vulnerability named transferFlaw (CVE-2018–10468). This particular vulnerability affects a publicly traded ERC20 token listed ter a top exchange. Different from batchOverflow  and proxyOverflow [Two] wij identified before, this vulnerability does not lead to generating uncountable tokens. Instead, this one, when exploited, can be used by attackers to steal others’ tokens.
Our in-depth code analysis further indicates that it is very likely a scam token. Wij have promptly notified affected exchanges to delist the related token. Note that the token has bot publicly tradable for about Ten months even however at a relatively low trade volume, wij believe it poses a realistic threat to legitimate users and cryptocurrency market spil a entire.
MyEtherWallet Domain-Hijacking Financially Victimized 198 Users, Causing $320K Loss
On April 24th, MyEtherWallet (or MEW) users te certain areas suffered from domain hijacking and, when visiting official MyEtherWallet.com domain, may be redirected to phishing sites (physically located ter Russia). Spil of this writing, there are 198 victims falling prey with $320K US dollars loss.
Around 12:00 PM UTC on April 24th, the DNS entries of certain Amazon servers were compromised [Two], and a portion of web-browsing traffic (i.e., HTTPS-based web requests) to MEW were redirected to a fake phishing webstek. The fake webstek wasgoed camouflaged to have the same appearance with MEW. Note the phishing webstek used a self-signed TLS certificate, which is considered insecure by commodity browsers with warning pop-ups. However, users may disregard the warnings and still choose to proceed and come in their key information, which will then be stolen by attackers to instantly transfer remaining ETH balances.
Fresh proxyOverflow Bug te Numerous ERC20 Clever Contracts (CVE-2018-10376)
On Four/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction (shown ter Figure 1). Te this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff (63 f’s) to herself along with a gigantic amount toverfee — 0x7000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0001 to the address issuing this transaction.
Oplettend: Fresh batchOverflow Bug te Numerous ERC20 Brainy Contracts (CVE-2018-10299)
Built on our earlier efforts ter analyzing EOS tokens, wij have developed an automated system to scan and analyze Ethereum-based (ERC-20) token transfers. Specifically, our system will automatically send out alerts if any suspicious transactions (e.g., involving unreasonably large tokens) occur.
Ter particular, on Four/22/2018, 03:28:52 a.m. UTC, our system raised an noodsein which is related to an unusual BEC token transaction (shown ter Figure 1). Te this particular transaction, someone transferred an utterly large amount of BEC token — 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000 (63 0’s – Te fact, there’re actually two such large token transfers, with each transfer involving the same amount of tokens from the same BeautyChain contract but to two different addresses).
Low EOS Token Registration Is worth Community Attention (and Deeds)!
Among existing digital cryptocurrency tokens, EOS gained prominence within the crypto community and has bot touted spil the next-generation flagship blockchain infrastructure. Its market capitalization has recently skyrocketed and makes it 5th place with more than $6B valuation . Notice that holding a certain amount of EOS tokens at this stage is not omschrijving yet to having the corresponding share of native EOS tokens. Te particular, before the official EOS mainnet launch ter June, 2018, token holders need to register their EOS tokens through the EOSCrowdsale contract. Only after the token registration, current token holders can ‘‘own’’ their token share on the EOS mainnet right after the June launch. The ownership will further entitle token holders to vote for their dearest block producers, which presently fall under intensive competition and heated discussions.
Te this blog, wij take a close look at th EOS token registration progress. Our aim here is to find out how many token holders actually have finished the registration process. More specifically, considering the total supply of 1 billion EOS tokens, what is the percentage (or registration rate) that have actually ended the above registration?