OKEx exchange suspended BEC withdrawal and trading because of batchOverflow attack

Abnormal BEC trading activities on OKEx was detected at around 13:00 Apr 22, 2018 (Hong Kong Time). As requested by the official BeautyChain (BEC) project team, the exchange suspended BEC withdrawal service and the trading pairs BEC/USDT, BEC/BTC and BEC/ETH.

On April 24, 2018 OKEx team decided to rollback the data of all three trading pairs of BEC (BEC/BTC, BEC/ETH, and BEC/USDT) to 13:18:00 Apr 22, 2018 (Hong Kong time).

Only the BEC trades performed after the mentioned time will be rolled back, while the trades of all other tokens will not be affected.

According to PeckShield, a blockchain security company, someone transferred an extremely large amount of BEC token – 8 vigintillion (a cardinal number represented in the U.S. by 1 followed by 63 zeros). PeckShield explains that such abnormal BEC trading activities comes from an «in-the-wild» attack that exploits a previously unknown vulnerability in the smart contract. For elaboration, the company call this particular vulnerability batchOverflow. BatchOverflow is essentially a classic integer overflow issue.

PeckShield says that exchanges need to be coordinated and there still exist other tradable tokens vulnerable to batchOverflow. The presence of non-centralized exchanges with offline trading services might pose additional challenges as they cannot even stop attackers from laundering their tokens.