ProxyOverflow Exploit Affecting ERC20 Tokens Highlights Need for Smart Contract Auditing

There is a lot of speculation regarding an exploit abused by some ERC20 token creators. Various assets have had their total supplies artificially inflated due to a proxyOverflow bug in the original ERC20 creation smart contract for those tokens. This has caused a fair amount of problems already, and it only further highlights the immaturity of this technology in general.

The proxyOverflow bug That Causes Major Havoc

It was only a matter of time before someone found a way to successfully abuse smart contract technology for financial gain. Few people will be surprised to learn those efforts mainly originate from newly created ERC20 tokens, as they are always a risk, for obvious reasons. PeckShield has kept tabs on an ongoing proxyOverflow exploit abused by multiple ERC20 token creators to increase the total supply of said assets.

This exploit allows users to transfer significant amounts of tokens and attach a massive fee to them. When this takes place, the proxyOverflow will increase the total supply of available tokens, even though that was never intended to happen. It seems this is due to a classic integer overflow found within the proxyTransfer() function, which is an integral part of all the affected smart contracts. Exploiting this overflow bug will have catastrophic results for the tokens in question.

Furthermore, this method can be used by assailants to transfer vast amounts of tokens to an address with a zero balance. The massive fee attached to these transactions will be sent to the msg.sender, which has all kinds of troublesome effects. So far, at least nine tokens have been affected by this issue, although the final tally may be a lot higher when everything is said and done. Exploits like these can affect dozens, if not hundreds, of ERC20 tokens with improper coding.

Although these developments are all quite worrisome, they also highlight the need for a security response mechanism in the Ethereum ecosystem. When issues like these are discovered and reported, there is nothing that can be done to remedy the affected contracts unless the creator of the contract decides to do something about it. With no proper coordination and communication, problems like these will have a ripple effect on the Ethereum ecosystem.

It appears quite a few exchanges have already suspended the trading of these tokens until the smart contract problems are addressed. While that is the proper course of action, it also negatively impacts those users who legitimately invested in these currencies and are now unable to do anything with them. At the same time, everyone holding any of the affected tokens is vulnerable right now, and thus there appears to be no other choice.

If there is one valuable lesson to be learned from all this, it is that proper audits of smart contracts before deploying them need to become a mandatory standard. Problems like these could have easily been avoided if the smart contracts had been reviewed by an independent party prior to using them on the live blockchain. It is a terrible development for the ERC20 industry, as all tokens will be scrutinized moving forward.