Assessing The ERC20 Token Exchange Withdrawal Bug / Exploit

Posted on April 7, 2017 by bok

Reddit post Worry-some bug / exploit with ERC20 token transactions from exchanges and the Golem post How to Find $10M Just by Reading the Blockchain.

This problem seems to be about how the exchanges implement their withdrawal functions and seems to be as follows:

  • A user has a certain ERC20 token balance in the exchange, say 1,000 units
  • The user wants to withdraw this balance into an external Ethereum address
  • The user specifies an external Ethereum address that is too short, and the balance of 1,000 units
  • The exchange check the amount to be transferred and this falls within the user’s balance amount
  • The exchange issues the ERC20.transfer(address, value) with the address that is too short, and the correct value
  • The Ethereum JSON-RPC or Web3 JavaScript API that the exchange calls will shift the amount field into the gap in the address field. The amount field is then increased by many orders, e.g., 1,000 becomes 1,000,000
  • The transaction will transfer 1,000,000 units of the token to the user’s address
  • The user can craft the address to end with zeroes so the padding of the gap with the value field will result in the user’s correct address

The transaction that raised the issue is 0x0213fb70… and has the following transfer data:

Breaking up the data into the proper chunks:

The value field will be padded with zeros to make up 64 characters:

ConclusionCryptoDerivatives.Market Is Not Affected By The Exchange ERC20 Withdrawal Bug.

This entry was posted in Blog and tagged , , , . Bookmark the permalink.