Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-10299 PoC — Beauty Ecosystem Coin smart contract 数字错误漏洞

Source
https://github.com/phzietsman/batchOverflow
Associated Vulnerability
Title:Beauty Ecosystem Coin smart contract 数字错误漏洞 (CVE-2018-10299)
Description:Beauty Ecosystem Coin(BEC)是美链基金会(Beauty Chain基金会)的一套基于区块链技术的虚拟货币系统。smart contract是其中的一个智能合约。 BEC中的smart contract的实现的‘batchTransfer’函数存在整数溢出漏洞。攻击者可利用该漏洞增加原本指定的数字资产。
Description
A fix for the batchOverflow bug https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536
Readme
# batchOverflow
[![Build Status](https://travis-ci.org/phzietsman/batchOverflow.svg?branch=master)](https://travis-ci.org/phzietsman/batchOverflow)

A fix for the [batchOverflow bug](https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536) found by the [PeckShield](https://peckshield.com/) team.


## a fix
The original contract only did a check to ensure the sender has enough *whatever* to pay the total amount (input value x number of addresses). If an overflow ocurred this amount can be zero, which would allow the test on `line 12` to pass. 

![execute](./README/buggy.png?raw=true)

One possible fix is to add another test to check if the sender's balance minus the amount is less than his current balance. If a overflow ocurred the balances would be same, making it an invalid transaction. This however will still not fix the problem. If the attacker has a small balance, say 10 whatever, the attacker could craft _value to overflow to some amount smaller than the current balance they currently hold and thereby passing this gate.

Better fix would be to simply check if the total amount that transferred is greater or equal that _value. If an overflow occurred, this test would not pass. For an attacker to get past this gate they would need a minimum of a that magical number / 20, which is still a very large amount and probably impossible to get without exploiting another bug.

## test it
Ensure that you have truffle installed and run the `truffle test` command from the root of your project. It should look something like this.

![execute](./README/test.png?raw=true)
File Snapshot

 [4.0K]  /data/pocs/9f0b8e5be74e9128c7b9e53e823887ade8cc3aea
├── [4.0K]  contracts
│   ├── [ 763]  BatchNoOverflow.sol
│   ├── [ 732]  BatchOverflow.sol
│   └── [ 515]  Migrations.sol
├── [ 11K]  LICENSE
├── [4.0K]  migrations
│   ├── [ 129]  1_initial_migration.js
│   ├── [ 138]  2_batchOverflow_migration.js
│   └── [ 144]  3_batchNoOverflow_migration.js
├── [4.0K]  README
│   ├── [ 45K]  buggy.png
│   └── [ 21K]  test.png
├── [1.6K]  README.md
├── [4.0K]  test
│   ├── [1.3K]  batchNoOverflow.js
│   └── [1.1K]  batchOverflow.js
├── [ 135]  truffle-config.js
└── [ 135]  truffle.js

4 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.