Hackers to Steal 8 Vigintillions BEC Tokens

Coinmonks had discovered a vulnerability in  ERC20 contracts
24 April 2018   900

On Sunday, the popular OKEx exchange has suspended the withdrawal and trading of BeautyChain tokens (BEC), citing "anomalous activity". Coinmonks made an investigaton on its activity.

Coinmonks had developed an automated system for scanning suspicious translations of ERC20-tokens, which sent a distress signal on April 22.

As it turned out, someone stole 8 vigintillions (value with 63 zeros) of BEC from the smart contract.

A more detailed study of the contract revealed a previously unknown vulnerability, which members of the Coinmonks community called batchOverflow.


The vulnerable function is located in batchTransfer and the code is shown in Figure 2. As indicated in line 257, the amount local variable is calculated as the product of cnt and _value. The second parameter, i.e., _value, can be an arbitrary 256 bits integer, say 0x8000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000,0000(63 0’s). By having two _receivers passed into batchTransfer(), with that extremely large _value, we can overflow amountand make it zero. With amount zeroed, an attacker can then pass the sanity checks in lines 258–259 and make the subtraction in line 261 irrelevant. Finally, here comes the interesting part: as shown in lines 262–265, the balance of the two receivers would be added by the extremely large _valuewithout costing a dime in the the attacker’s pocket!


Researchers also were able to repeat this operation with another smart contract, the tokens of which are not traded on the exchanges, and found a number of other contracts with a defect, to which tokens are traded on trading floors.

They tried to warn the owners of smart contracts about the vulnerability, but the practice of Ethereum "code-is-the-law" makes this process difficult.

A special problem is vulnerability for decentralized exchanges, because they can not even stop the attack.

SEC to Accuse Veritaseum ICO of Fraud

SEC believes that project's tokensale, thru which it raised $14.8M back in 2017-2018 had a signs of scam and company misled the investors
14 August 2019   346

The U.S. Securities and Exchange Commission (SEC) has sued New Yorker  and Veritaseum-related companies that have been caught by the agency in conducting an unregistered ICO with signs of fraud. It is reported by Cointelegraph.

According to documents published on the network, the SEC intends to hold Reggie Middleton accountable and immediately freeze the assets of Veritaseum Inc. and Veritaseum LLC.

The Commission claims that the defendants raised about $ 14.8 million through an initial coin offering (ICO) in 2017 - early 2018. At the same time, many investors were misled, as the company distorted information about the conditions of the token sale and deliberately hid some significant details.

The American regulator claims that the project still has about $ 8 million of illegally raised funds. According to the SEC, these assets must be frozen immediately.

Amid this news, the Veritaseum (VERI) rate has fallen by 70%. Now the coin is trading near the $ 5 mark, although at the beginning of 2018 its rate was approaching $ 500.

Veritaseum was created as a financial p2p platform, involving the movement of capital without traditional intermediaries. Also, VERI was positioned as a utility token for use in consulting services and access to various research works.

In 2017, Veritaseum blockchain startup fell victim to hackers, having lost $ 8.4 million from ICO investors.