A vulnerability in Truebit’s code enabled an attack that generated about $26 million in new tokens.
The flaw allowed the attacker to create tokens almost for free, which shows that even long-running blockchain systems can still be at risk.
According to a report from the blockchain security firm SlowMist, the issue was linked to how Truebit’s smart contract handled payments. The attacker exploited a contract error that allowed them to generate large amounts of tokens “without paying any ETH
“.
Did you know?
Subscribe – We publish new crypto explainer videos every week!
Crypto Day Trading VS Swapping: What’s More Rewarding? (Animated)
SlowMist explained that a small arithmetic error caused the problem. The report stated, “Due to a lack of overflow protection in an integer addition operation, the Purchase contract of Truebit Protocol produced an incorrect result when calculating the amount of ETH required to mint TRU tokens”.
That error enabled the attacker to mint $26 million worth of TRU tokens with almost no cost. The post-mortem noted that the smart contract’s code “erroneously reduced” the price calculation.
The issue was linked to the version of Solidity used to write the contract, version 0.6.10. Earlier versions of the programming language lacked automatic checks to prevent numerical overflow.
When a number went beyond the maximum value for “uint256″, it would loop back to a small number near zero.
Trust Wallet’s browser extension v2.68 suffered a $7 million breach. How did the incident happen? Read the full story.
