A lot of people are concerned what impact the recently discovered batchOverflow vulnerability has on Ethereum and ERC-20 tokens, as first disclosed by this article:
Here is a summary of Han Chang (CTO of CoinFi’s) conclusions:
- There is no fundamental issue with Ethereum’s codebase or infrastructure.
The “bug” is called an integer overflow and is well known and common in many programming languages, not just Solidity (the programming language that Ethereum smart contracts are written in).
- The bulk of ERC-20 tokens are NOT affected.
Any smart contract developers worth their salt will know about this issue and correctly use a SafeMath library to catch overflows, thus preventing them from impacting the logic of the program. This is also why smart contract audits from well established third parties are helpful to catch these types of bugs.
- How do you make sure the tokens you hold aren’t affected?
If you are concerned, ask the following questions to the project:
- Who audited the project’s smart contracts?
- Did they integrate a SafeMath library? (The industry standard is OpenZeppelin’s: https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/contracts/math/SafeMath.sol)
- Did they make sure to use the SafeMath functions when performing any large arithmetic calculations?
If you’re somewhat technical, you’ll also want to inspect the token’s actual smart contract code if at all possible as well to ensure that the project owners are telling the truth.
- Exchanges’ response to halt deposit and withdraw of ALL ERC20 tokens is a bit of a overreaction.
So far, Huobi, OkEx, HitBTC, and Poloniex have halted. Huobi’s outage was only two hours so that’s not too bad.
There are probably better ways to reduce impact on users while still mitigating any consequences from this vulnerability, such as limiting deposits and withdraws to a certain threshold instead of outright halting them.
- How do I make money off of this?
If Ethereum or ERC-20 token prices drop on this news, it’s a great chance to buy! There’s nothing fundamentally wrong with Ethereum or most ERC-20 tokens, so you might as well take advantage of the FUD now that you know what’s really going on 🙂
Rest assured that CoinFi (COFI) is not affected by this vulnerability as we integrate and utilize SafeMath in both our token issuance and airdrop smart contracts.