Smart Contract Bug Nearly Freezes Transfers in $800 Million Worth of Icon Tokens

June 20, 2018

A simple typo nearly led to a complete disaster for an ICOed projects that currently has a market cap of some $800 million.

Around two days ago someone discovered a way to prevent token transfers. Who exactly first discovered this bug is unclear at this stage, but an unknown project called Yggdrash had seemingly copied Icon’s smart contract.

“I think the first time they found out was when someone unlocked YGG, and they attempted to relock it and failed,” someone who wanted to be named only as Ben H from an ICO consulting firm of sorts called Wolf Crypto, says.

The team at Wolf Crypto then carried out some searches and found Icon had the same problem. Try and spot the utterly basic error:

The highlighted part says to modify sending from the wallet require that the sender is not the wallet address. In other words anyone can modify this function, except for the token owner, so freezing transactions, when instead of ! (not) it should have had = (is).

“4chan did it for about an hour,” Alex F from Wolf Crypto says. You can’t short Icon as far as we are aware, so there isn’t a monetary gain to lock others from transferring. You actually have to pay for it in gas fees, but the lulz were apparently worth it for some.

“Minor bug. Quick solution initiated. Permanent solution already in the works and expected to be done today. Thank you for your patience and understanding,” Min Kim, from the Foundation Council at Icon, says.

That angered some because you’d have to try very hard to think of any more major bug besides those that allow for actual ownership changes or complete freezing of funds.

A very short official statement from Icon likewise left some dissatisfied, leaving the public with only reddit to get some actual information.

There is a workaround, someone suggested, whereby the contract owner can unlock transfers. So apparently they wrote a script to enable transfers of tokens others have disabled for transferring.

“Spamming enable transfer is half-ass. They aren’t even very good at it. When they first started spamming it they were using 2 gwei and 750k gas limit,” Alex says.

It’s unclear what the permanent solution is which Kim says will be done today. Smart contracts can not easily be changed, although there can be designs which allow for it to be updated but that’s not used in Icon.

So their only option would be to launch a new contract and link tokens with it, but they’re apparently preparing for a main-net launch and a token swap, so once they have their own blockchain this bug would be irrelevant.

“There is no excuse for this and we take full responsibility… but, we’re not sorry either because hiccups are part of growth,” Kim says. Many disagree.

“This is a serious blow to their credibility as a competent team. To have not done any unit testing and be crippled by such a bug…,” Ben says.

Bugs, of course, are expected. In a Turing complete set-up, there is so much endless complexity that it is difficult to escape all potential scenarios unless you’re very tight with the code.

But simple bugs, or worse, typos, are not expected because a few more eyes on the code would have caught it and saved what could have been a far worse scenario or situations like here where you might have scripts battling scripts with locks and unlocks.

Nor does it seem this bug was unknown. Someone tried to exploit it around 270 days ago. “That account received 12,500 ICX 270 days ago – then 2018-04-25 that account executed “enableTokenTransfer” on ICON’s contract – without testing ‘disableTokenTransfer,’” a coder going by the name of Seb says.

It might have been someone who failed KYC, but then how did he receive the tokens. In any event, this simple bug may have been known for some time.

That shows just how trappy Solidity can be, making audits a must for any project that plans to hold value because now with Solidity searches at all time high and anyone able to learn it from online tutorials, any bug will be exploited for lulz or gains.

Correction: Article mistakenly credited Crypto Wolf instead of Wolf Crypto.


Source: Read Full Article