Highly-Manipulatable ERC20 Tokens Identified in Multiple Top Exchanges (including Binance, Huobi, and OKex)
Publicly tradable ERC-20 tokens have considerable high market value. Various exchanges, either centralized (e.g., Binance, Huobi.pro, and OKex) or decentralized (e.g., IDEX, EtherDelta, ForkDelta), provide the marketplace by listing them, especially with high-liquidity ones, for public trading. Evidently, the transparency and security of their corresponding smart contracts is paramount. In practice, there is a de-facto requirement for these contract to be publicly verifiable on etherscan.io. Moreover, reflecting the fundamental “code-is-law” spirit and trust of blockchain technology, these contracts once deployed should not be further subject to centralized control or manipulation.
In this blog, we would like to report a security issue called tradeTrap (mixed with vulnerable implementation) that utterly violates the above requirement. Unfortunately, tradeTrap plagues hundreds of ERC20 tokens and we have so far confirmed at least ten of them are publicly tradable on current exchanges. Those affected tokens could be of high-profit arbitrage opportunities to bad guys.
Due to the range and severity of affected exchanges and tokens, we choose not to disclose the information of affected tokens for now. Instead, we list the affected exchanges as follows:
We strongly encourage the above exchanges to contact us immediately. We are willing to provide detailed information and necessary technical support to proactively mitigate and recover from this security issue. We are reachable at telegram (by browsing https://t.me/peckshield) and WeChat (by scanning the following QR-code):
PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires (including the need for smart contract auditing), please contact us at telegram, twitter, or email.