On April 22, 2018, there was a vulnerability found in some ERC20-Token Smart Contracts called overflow (related post from CryptoSlate called: “BatchOverflow Exploit Creates Trillions of Ethereum Tokens, Major Exchanges Halt ERC20 Deposits”). Here is the Storm team’s update to the community on how this does not affect the Storm Token contract.
What is “Overflow?”
“An overflow/underflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bits — either larger than the maximum or lower than the minimum representable value.”
This vulnerability has allowed some bad actors to create tokens without spending any of their own tokens. Storm Token is not affected by this vulnerability.
When we verified this, we reviewed our Storm Token smart contract and did not find any weaknesses. This is all thanks to OpenZeppelin’s SafeMath utility library. See below for an outline of the technical details.
SafeMath Image: https://ethfiddle.com/z9y1U8Pbj-
Some coins/tokens with the vulnerability were using SafeMath, but forgot to use the SafeMath’s multiply operation in their batch transfer function.
Overflow with * operation image: https://ethfiddle.com/bxDFG-uCEe
Without overflow using SafeMath mul operation: https://ethfiddle.com/wn_tA5hTWj
We checked our Storm Token Contract and confirmed that every mathematical operation uses SafeMath.
Our StormToken transfers image: https://ethfiddle.com/--MgJJAY5s
Above is our batch transfer function ‘transfers.’ Only the contract owner can use the function for our weekly Storm payments.
This batch transfer function is written differently from other contracts as it does not pre-calculate the total token value, hence avoiding multiplying any big numbers.
The function simply divides the batch transfer as each singular transfer. With the assert keyword, the contract ensures each individual transfer processes successfully without any overflow.
1. Use SafeMath.sol for every mathematical operation to prevent an overflow vulnerability
2. The Storm Token contract was not exposed to this vulnerability (overflow.)
If you like reading about exploits in smart contracts, I recommend http://u.solidity.cc as a great resource.