Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2018-10299 PoC — Beauty Ecosystem Coin smart contract 数字错误漏洞

Source
https://github.com/phzietsman/batchOverflow
Associated Vulnerability
Title:Beauty Ecosystem Coin smart contract 数字错误漏洞 (CVE-2018-10299)
Description:An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the "batchOverflow" issue.
Description
A fix for the batchOverflow bug https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536
Readme
# batchOverflow
[![Build Status](https://travis-ci.org/phzietsman/batchOverflow.svg?branch=master)](https://travis-ci.org/phzietsman/batchOverflow)

A fix for the [batchOverflow bug](https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536) found by the [PeckShield](https://peckshield.com/) team.


## a fix
The original contract only did a check to ensure the sender has enough *whatever* to pay the total amount (input value x number of addresses). If an overflow ocurred this amount can be zero, which would allow the test on `line 12` to pass. 

![execute](./README/buggy.png?raw=true)

One possible fix is to add another test to check if the sender's balance minus the amount is less than his current balance. If a overflow ocurred the balances would be same, making it an invalid transaction. This however will still not fix the problem. If the attacker has a small balance, say 10 whatever, the attacker could craft _value to overflow to some amount smaller than the current balance they currently hold and thereby passing this gate.

Better fix would be to simply check if the total amount that transferred is greater or equal that _value. If an overflow occurred, this test would not pass. For an attacker to get past this gate they would need a minimum of a that magical number / 20, which is still a very large amount and probably impossible to get without exploiting another bug.

## test it
Ensure that you have truffle installed and run the `truffle test` command from the root of your project. It should look something like this.

![execute](./README/test.png?raw=true)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →