Ahead of Mainnet, ICON (ICX) Stopgapped ERC20 Bug
As the week came to a close, the ICON Project (ICX) cryptocurrency — a top 25 crypto by market cap — saw its community forced to respond after a smart contract bug surfaced that allowed unintended enabling and disabling of token transfers. A spammer used this exploit to temporarily grind the network to a halt. Devs released an improvised fix that’s a “stopgap” ahead of the June 20th ICX mainnet tokenswap. In the aftermath, there’s been disagreement on whether the bug was mild or critical, while the episode highlights the cat-and-mouse dynamics of the game-theoretic cryptoverse.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
Sounding the alarm, one of the first cryptoverse denizens to identify the bug noted that a shoddy portion in ICX’s ERC20 smart contract allowed for transactional manipulation of the ICON network. The bug had initially been identified in another project.
“[…] a smart contract bug was first discovered in Yggdrash (YEED) that allowed anyone except the contract creator to enable and disable token transfers for everyone,” they wrote. “A short while later the same bug was found in the Icon (ICX) smart contract. A few minutes ago, someone began spamming the contract with disable transfer transactions.”
Another Redditor, u/firesquidwao, listed out precisely where the contract went wrong:
In that last segment of the above pictured code, the “!=” should read “==” — because it did not, however, only the ICX smart contract’s creator was locked out of using the token transfer exploit. And, because of the way Ethereum-based ERC20 smart contracts are designed, short of contract redeployment or a fork, any fix would have to be provisional.
So as an attacker or attackers began spamming the contract with ether to disable transactions, ICX tokens became immovable and the ICON devs were forced to spring into action.
A ‘Hot Fix’ Materializes
Within a matter of hours upon the spam attack starting, a provisional fix was in. As u/modeluser noted in r/helloicon, a JSON-triggered script was the ICON team’s response:
“They created an automated script to reverse every ‘disableTokenTransfer()’ function by calling the inverse ‘enableTokenTransfer()’ function.
It’s a hot fix / stopgap until they come up with a permanent solution such as a fork.
In my opinion it’s a clever solution within the scope of immutable code.”
Now, said script is triggering every time a disableTokenTransfer() command comes in. It was a quick, though imperfect, mitigation strategy, as it costs ether to respond to the spam attack, but it did creatively bring functionality back to the ICX smart contract. Now, it would seem that the project’s June 20th mainnet tokenswap is an opportunity to leave the old contract behind — fortunate timing if such an avenue works out smoothly.
Responses Ran the Gamut
The ICON community saw a wide range of dialogue in the wake of the incident. Some users were enthused with the team’s quick makeshift response, while others argued the bug showed a troubling lack of auditing and called it “far from minor.”
Still yet, other users suggested their own proposals for solving the transaction issue in non-invasive ways.
ICON Foundation Council member Min argued the bug was mild relatively speaking but noted there was “no excuse” and that the ICON leadership were trying to push forward as resolutely as possible:
“Our guys have laid out a plan and are taking steps to resolve this the best way possible. In the grand scheme of things, I consider this minor because the damage is minor. Nothing like exchange hacks, DAO, Parity Multisig, etc. Blockchain projects have survived through worse events in the past. This may cause some annoyance, but like you suggested, there are solutions and funds are ultimately safe, and we are thankful for that.
Still, there is no excuse for this and we take full responsibility. There us no tip-toeing around taking the blame. But, we’re not sorry either because hiccups are part of growth. It’s more important how you deal with the issue at hand. It’s more important to come out on top.”
Acute Blockchain Woes Abound Lately
There have been a spate of recent technical woes and network attacks in the ecosystem that highlight the as-yet fledgling space’s growing pains.
This week, the recently launched EOS blockchain endured an unexpected pause in its network, which sent its block producers scrambling for a fix as well.
There have also been a wave of blockchain 51 percent attacks, namely against projects like Verge (XVG) and Bitcoin Gold (BTG). And, while these types of attacks are “apples and oranges” different from the one outlined against ICX in the passages above, both attack vectors indicate that attackers will leverage any advantages or exploits they can find. Projects in the space must remain ever vigilant accordingly.
What’s your take? A mild or severe bug? Sound off in the comments below.
Images via Pixabay, Reddit