Highly-Manipulatable ERC20 Tokens Identified in Multiple Top Exchanges (including Binance, Huobi, and OKex)

Highly-Manipulatable ERC20 Tokens Identified in Multiple Top Exchanges (inc #Binance, #Huobi, and #OKex) please contact peckshield
#Security issue called tradeTrap
#bugbounty #vulnerability #Crypto #ethereum @VitalikButerin @binance
@HuobiGroup @OKEx_

Publicly tradable ERC-20 tokens have considerable high market value. Various exchanges, either centralized (e.g., Binance, Huobi.pro, and OKex) or decentralized (e.g., IDEX, EtherDelta, ForkDelta), provide the marketplace by listing them, especially with high-liquidity ones, for public trading. Evidently, the transparency and security of their corresponding smart contracts is paramount. In practice, there is a de-facto requirement for these contract to be publicly verifiable on etherscan.io. Moreover, reflecting the fundamental “code-is-law” spirit and trust of blockchain technology, these contracts once deployed should not be further subject to centralized control or manipulation.

In this blog, we would like to report a security issue called tradeTrap (mixed with vulnerable implementation) that utterly violates the above requirement. Unfortunately, tradeTrap plagues hundreds of ERC20 tokens and we have so far confirmed at least ten of them are publicly tradable on current exchanges. Those affected tokens could be of high-profit arbitrage opportunities to bad guys.

Due to the range and severity of affected exchanges and tokens, we choose not to disclose the information of affected tokens for now.

CONTACT PECKSHIELD