Chain (SCA) Ethereum ERC20 token CVE-2018-10706 – Integer Overflow

Authors:peckshield.com           Risk:High

CVE:CVE-2018-10706              0day:Integer Overflow  

0day -id:0DAY-176164             Date:2018-05-11

Description

An integer overflow in the transferMulti function of a smart contract implementation for Social Chain (SCA), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets, aka the “multiOverflow” issue.

Details

Integer overflow has been one of most common root causes of vulnerabilities in smart contracts. The multiOverflow bug also falls in this category.

Figure 1: The Vulnerable Function: transferMulti()

We show in Figure 1 the vulnerable function, i.e., transferMulti(). This function takes two parameters: an address array, _to, for naming receivers and an uint256 array, _value, for holding the amount transferring to each receiver. In line 250, we notice that amount is calculated by adding the product of _value and 10 to the power of decimal (set as 8 in the contract constructor). Obviously, this could be an integer overflow case because the sanity check in line 252 can be easily bypassed. To demonstrate, we craft a proof-of-concept with following parameters:

  1. _to
    • 0x93995bc9db9ae7af4f969400012c6fe94c93f761
    • 0x0c2a5f9a88bf2467f0b90e80e263e6c25daed62d
  2. _value
    • 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e
    • 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e

Since there’re two receivers, the loop in line 249-251 would be iterated twice. The execution proceeds as follows:

Iteration 1

amount += _value[0]*10**uint256(decimals);
==> amount += 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e * 100,000,000 (line 250)

Iteration 2

amount += _value[1]*10**uint256(decimals);
==> amount += 0x15798ee2308c39df9fb841a566d74f87a7a9a7aeb02c2d2f8e0d1e768e * 100,000,000 (line 250)
Now, amount is overflowed successfully to 0x10000000000000000000000000000000000000000000000000000000004319c00 which equals to 0x4319c00 in uint256 format.

As long as the attacker has enough tokens, i.e., balanceOf[msg.sender] >= 0x4319c00, each receiver will receive a tremendous number of tokens — 0x800000000000000000000000000000000000000000000000000000000218ce00.

The following figure demonstrates a successful attack which proves our theory:

Figure 2: A multiOverflow-Exploiting POC

Affected Tokens

The multiOverflow bug is of the same nature of other integer overflow vulnerabilities (e.g., batchOverflow and proxyOverflow) and could cause similar damages. When analyzing deployed smart contracts, we find a few are affected. A particular example token is SCA, which is deployed by SocialChain (a blockchain startup focusing on entertainment and leisure industries). SCA is currently in the pre-sale stage, which means a successful multiOverflowattack can wreak havoc and cause serious financial loss to the company.

Upon the detection, we immediately contacted SocialChain and provided them with vulnerability details and necessary technical supports. The SCA team promptly responded to our notification and took actions to fix the problem actively. As of the time publishing this blog, a new smart contract with the multiOverflow bug fixed has been deployed while all addresses holding SCA tokens have been mapped to the new contract successfully. We applaud the team’s reaction and believe this is what a high-quality development team should behave!

Conclusion

As cryptocurrency is getting acceptable to the public, a popular way for entrepreneurs to raise funds is to issue tokens. Compare to prosperity of various tokens, security in blockchain is still at a primitive stage. As indicated in recent discovery of various smart contract vulnerabilities, very few (token-issuing) teams have taken the security into serious consideration before deploying their smart contracts.

We believe security is essential in any blockchain-based smart contracts and any token-related businesses (including ICOs and live DAPPs). Ealier vulnerabilities such as batchOverflow and proxyOverflow have demonstrated how devastating they could be once exploited by attackers. Regarding the SocialChain case, it’s fortunate that we are ahead by identifying and fixing the bug before any multiOverflow attack, thus successfully preventing possible damage or financial loss. But always keep in mind, attackers are out there, lurking in the shadows and seeking for another chance. This would be an endless arms race!

Leave a Reply