Quantstamp (QSP), a smart contract security firm, who recently assisted Binance in auditing its listed ERC20 tokens to guard them from the recent batchOverflow and proxyOverflow 0-day vulnerabilities, has revealed they are proud of assisting Binance in the security audit, making known that they deeply applaud the Binance team whose proactive response and high standards for security helped to mitigate the risk of harm to their several million users.
A statement by the Jonathan Haas, head of security at Quantstamp reflects that the security firm commends the immense diligence Binance, saying they value their immeasurable dedication to the security of their customers.
The security firm asserted that if not for its swift response, funds that could have been targeted if impacted by these vulnerabilities would have been enormous.
However, it states further that Quantstamp (QSP) automatic and manual audits allowed the security company to swiftly audit and secure all presently-listed ERC20 tokens on Binance. The company states that it has already identified they are unaffected by the recently-identified vulnerabilities.
Speaking on the development, Richard Ma, CEO, Quantstamp, said
“Quantstamp shares Binance’s safety-first philosophy in protecting their customers and supports the exchange’s ambitions to create the gold standard in security for the mass adoption of digital currencies. In light of the recent vulnerabilities, we are proud to have assisted Binance in its mission to help protect their token holders and the wider Ethereum community”
About BatchOverflow and ProxyOverflow vulnerabilities
According to security experts, BatchOverflow and ProxyOverflow exploits are caused by non-standard ERC20 code which failed to apply SafeMath library. That is why security personnels advice that smart contract be audited for security satisfaction. Doing this, will make bugs to be eradicated.
BatchOverflow and ProxyOverflow bugs perform an attack known as “integer overflow.” This occurs when while trying to put a whole number into a space in memory that is too large for the integer data type. What this indicates, according to Quantstamp (QSP) security expert is that when a system is flooded with an excessively large number, it gives attackers opportunity to create an additional supply of tokens which are non-existent in the system.
This may be dangerous to exchanges because it present a great attack vector, for the fact that “token minting” can happen without audit which cause issuance of token.
How The Bugs Were Detected
Around April, PeckShield’s automated system was checking may be there were unusual activity in ERC20 token transfers, it then discovered that an anomalously large amount of token had been sent in BeautyChain (BEC).
Then, the PeckShield team examined the BeautyChain contract for susceptibilities, it then discovered batchOverflow and proxyOverflow. These bugs may not be peculiar to ERC20 token alone, it is possible than many a number of contracts have this vulnerability because they failed to check their codes. It is better to catch vulnerabilities before contracts go live, which is why it is ideal to audit codes before customers are allowed to use it.
Quantstamp (QSP) is the first smart contract security-auditing protocol deployed by smart contract platforms for vulnerability checks. The protocol is extending Ethereum with technology that ensures the security of smart contracts. The team behind the idea is made of software testing experts who collectively have over 500 Google Scholar citations.