OKex Suspend BEC Trading Due To Irreversible Bug In Smart Contract
22 April,OKex announced emergent suspension of BEC trading on the exchange. The token BEC “Beauty Ecosystem Coin (BEC)”, was listed on OKEx on February 23. A huge spike was observed on the exchange and caused controversies. The public was accusing that it’s the result of market manipulation, which was denied by Cai Wensheng, founder of Meitu. He also denied being the issuer of BEC, saying that it was issued by Beautychain, a third party partner of Meitu.
Two month later, a fatal bug triggered the avalance of BEC trading on OKex, according to Slowmist, the consequence of the bug is irreversible and destructive. All developers of smart contract are advised to review their coding.
According to slowmist, the batchtransfer function have bugs in the smart contract of BEC (https://etherscan.io/address/0xc5d105e63711398af9bbff092d4b6769c82f793d) and the attacker could inject a large value number to overflow the maximum value of unit of cnt * value, which turns 0 after being attacked.
In this way, no BEC token is transferred out of the attackers account but the receiver could receive large amount of BEC. Then the attacker transfer large amount of BEC tokens to OKex, causing the exchange to suspend trading and withdrawal shortly after.
Through analysis of the incident, Slowmist security team recommends that developers of smart contract should strictly verify whether the total amount transferred is greater than 0 during batch transfers, and perform the balances[msg.sender].sub(value) operation within the “for” loop.
Such vulnerabilities are irreversible and of destructive nature. It is recommended that other smart contract issuers should conduct reviews promptly.
Detail could be found here. Possible solution including reversal trading inside exchange and creating a new smart contract with snapshot data migrating from the original contract. Rather than solving the problem, some Chinese community members seems to be more interested in watching the drama.