#UselessEthereumToken
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
save-sight-centre
Save Sight Centre
136 posts
winchester-is-dead
'I'm proud of us"
60 posts
throwing-ice-cubes
friend of his youth and blood of his heart
95 posts
ramadhankiew404-blog
Tanpa judul
3 posts
lost-the-narrative
i try to write
30 posts
Fun Fact
The total number of visits Tumblr.com received during January 2021 is 327 million.
ragunath12 · 2 years ago
Text
Blockchain Vulnerabilities: How to Avoid Writing Vulnerable Code and Vulnerable ERC20 Tokens
The way we think about a secure exchange of funds and information has been altered by blockchain technology.
Tumblr media
This article focuses on the newly identified ERC20 batchOverflow vulnerability, the mistakes made during development that led to the creation of susceptible ERC20 token development , and the steps you should take to prevent making the same mistakes again.
ERC20 token vulnerability
An occurrence that was subsequently identified as the batchOverflow exploit occurred in April 2018. Vulnerable ERC20 contracts of ERC coins like BeautyChain (BEC) and MeshBox (MESH) were used in the exploit to create an unreasonable amount of tokens out of thin air.
Shortly following the discovery of the batchOverflow issue, PeckShield, a security firm, discovered many vulnerabilities in various Ethereum coins. Among the coins on the impacted list are:
Aurora Dao (AURA)
BeautyChain (BEC)
UG Token (UGT)
Smart Billions (SMART)
FirstCoin (FRST)
GG Token (GG)
CNY Token (CNY)
CNYTokenPlus (CNYt+)
UselessEthereumToken (UET)
Hexagon (HXG)
Education (EDU)
Smart Mesh (SMT)
MTC
SCA
These flaws were found not long after the batchOverflow attack was used. Researchers looked into questionable transactions left by attackers to locate them.
The primary indicator of questionable transactions was an abnormally high transfer rate, which occasionally exceeded the total supply of a token. A number of significant exchanges have fully stopped accepting deposits and withdrawals of ERC20 tokens in order to stop speculation. These conversations were:
OKEx
Poloniex
Changelly
Huobi Pro
Two main problems with ERC20 tokens
Researchers found multiple attacks and gave each one a distinct name while searching for vulnerabilities in ERC20 tokens. Actually, though, there are just two primary issues with all of these tokens:
Overflow vulnerabilities
Unprotected functions
Let’s take a closer look at each of these problems.
Overflow vulnerabilities
Exploiting integer overflow or underflow, a flaw in the ERC20 token standard, is the foundation of overflow vulnerabilities. When the outcome of a mathematical operation falls outside the range that a variable may represent, this issue arises.
When subtracting anything from zero in the context of Ethereum smart contracts, the result is a very big value. The outcome of adding two huge values will be close to zero and will wrap around.
In this instance, line 206 has the susceptible code. This line’s addition is not properly checked for overflow. Large values for _value and _feeSmart can be set to cause their sum to overflow, resulting in a value that is lower than the balance of the account and passing the condition, adding absurdly large values to the balance of the set accounts.
Unprotected function vulnerability
Unprotected functions are the second category of ERC20 token security issues. This type of ERC20 vulnerability only appears when a developer neglects to include the necessary modifier that limits function access. This means that certain essential core features may be freely called by any arbitrary user.
For instance, it’s standard procedure when creating Ethereum smart contracts to restrict access to particular features to a single account. Usually, that account is referred to as the owner.
And the AURA token experienced precisely this. The function that sets the owner isn’t restricted by an ownerOnly modification, even though the functions inside the contract are. Consequently, anybody can use the setOwner function to select a random owner by calling the contract. Fortunately, at this point the owner account can do nothing more than a regular user, so this issue is left safely unpatched.
How to avoid writing vulnerable code
As you can see, these ERC20 functionality vulnerabilities are typically the result of unintentional code errors. Additionally, there are still susceptible contracts on the Ethereum network despite the fact that these errors are well recognised and simple to prevent.
Is there any way to keep from adding to the pile? Can you, when working with create ERC20 token , avoid writing code that is vulnerable? Of course you can, and of course it is doable. We provide the following advice to assist you guarantee a high degree of code safety:
1. To prevent anything from being left exposed, clearly indicate visibility in functions and state variables.
2. Use libraries like OpenZeppelin’s SafeMath to stop overflows and underflows.
3. Watch out while dividing integers by rounding. Because of the constant rounding down, 5/2 equals 2, not 2.5.
4. To reduce gas usage and prevent denial of service assaults, allow users to pull tokens (in bonuses, games, airdrops, and so forth) as opposed to pushing them.
Utilize the most recent Solidity constructs: * Make appropriate use of require and assert so that an automated analyzer can officially verify your code.
Use keccak256 in place of sha3 and selfdestruct in place of suicide.
Create a test contract using Ropsten, a public testnet. Establish a bug bounty programme and allow your contracts to be tested by the community.
Obtain an official audit of your contract’s security.
You may increase the security of your code and avoid writing susceptible code by following these simple steps.
Conclusion
The recent batchOverflow hack demonstrated how a single coding error might result in a significant security issue. Although ERC-20 tokens are susceptible to overflows, developers only need to double-check their code and take extra precautions to avoid both overflows and underflows.
#cryptocurrency#blockchaindevelopment#blockchain#technology#create erc20 token#ethereum
0 notes
greggory--lee · 8 years ago
Text
ICO Due Diligence – are you wasting time?
ICOs – not just another type of investment opportunity They’re coming at you thick and fast, a new one being touted as the next big thing amid the gathering hail of pre-announcements and pre-launches. Initial Coin Offerings (ICO) are all the rage, promising incredible returns quicker than the time it takes to build, develop and market a new idea.
ICOs raised over $10 million in February 2017 and continued to generate hundreds of millions more since, collecting almost $1 billion in June and July alone, according to CoinSchedule. No other investment vehicle comes close in sheer speed and scale, with the likes of the BRAVE ICO raking in $35 million in 30 seconds and Bancor pushing $144 million in less than 3 hours.
Unlike conventional investments, ICO founders stake little or no equity, and investors gain little or no ownership of the product. The premise is simple: ICOs offer backers a chance to obtain newly-created tokens or cryptocurrency before they hit the market. And that’s all most investors will ever own: tokens.
Will due diligence protect me? With so many to choose from, and many inevitably losing their initial value and causing huge losses to investors, people are advised to “do their own research” before buying in to an ICO. Whether you’re a financial banker or couch investor, there are some basic due diligence guidelines you can adher to help you determine which ICO to go for.
But don’t be fooled into thinking that doing this is enough to lead you into profits. Neither the most detailed whitepapers, nor most highly-rated ICOs given coverage by the most reputable media sources guarantee success.
ICOs don’t follow the rules Don’t be fooled by ICOs that pass the myths of due diligence. Even after evaluating all its assets, liabilities and commercial potential, ultimately, ICO performances can almost seem invariably arbitrary, as shown by some of the following examples.
Due Diligence Myth 1: Reputable and ���real” development team OneCoin (ONE): The OneCoin development team was highly transparent, with actual people and actual names actively promoting and even appearing in public. OneCoin was heavily promoted, its creator gracing the cover of Forbes and holding huge events across Europe, Asia and North America.
It didn’t run like a typical ICO, instead spending years between 2015 and 2017 pre-mining coins on a private blockchain and continuously recruiting investors in an unashamedly ponzi-like design, with plans to launch its coin to the public in 2018.
But it all started to fall apart after a string of OneCoin related arrests in India, Belize and China. Bitcoin.com later also gave evidence of OneCoin’s scam.
Opening price: $0.029 Last known price: $0.000866
Due Diligence Myth #2: Detailed roadmap, tech, whitepaper, great code Supercomputer Organized by Network Mining (SONM): The SONM ICO was one for the tech geeks, with an immaculate whitepaper detailing how the project would solve the inefficiency problem of cloud platforms through decentralised computational power. With some brilliant minds behind the project, the ICO was listed as a “trusted block-chain startups” by the Economist and given a “better than the market” rating by ICOrating.
Despite raising $42 million in four days, SONM ran into technical difficulties with token distribution and heavy dumping took the price down, where it is still struggling.
Lowest ICO Price: 0.00035 ETH Current Price: 0.00021 ETH
Due Diligence Myth #3: If there is no innovative idea, a great product is just as good Monaco (MCO): Crypto-based debit cards weren’t a new thing but were notoriously expensive to use due to high fees, with service providers providing limited support. The Monaco Card proposed itself as “the world’s best cryptocurrency card”, using perfect inter-bank rates and an app to exchange between fiat and crypto.
It was a no brainer at face value, especially with inbuilt e-KYC mechanisms and advertised 3-minute customer onboarding, leading it to raise more than $21 million in its ICO. Barring brief spikes post ICO in early July, the token has seen a slow decline in the past few weeks.
Lowest ICO price: 0.006 ETH Current price: 0.0045 ETH
Will ICOs ever be easier to evaluate? The lesson here is that any investment is a risk, least of all ICOs. No amount of due diligence is a guarantee of a quick buck. Of course, investors should not just throw caution to the wind. Good due diligence can still weed out obvious scams.
If you ever need motivation, just take a look at UselessEthereumToken (UET). Launched on June 26 2017, UET ICO announced the ���world’s first 100% honest token”. It openly claimed no value, no product, no whitepaper, no auditing. And it still raised $69,000 when it closed on 11 July 2017. If you had bought UETs at the ICO, you’d have paid anything from $0.10 to $46. Today, it’s trading just over $0.01.
Source link
Source: http://bitcoinswiz.com/ico-due-diligence-are-you-wasting-time/
0 notes