DESCRIPTION OF EVENTS
"IseriCoin is a secure collaboration platform powered by TRON Foundation. All protected with end2end encryption."
"Today, the DVP blockchain security monitoring system TRONEYE detected an attack: during 2019-04-08 19:23:12 to 2019-04-09 12:21:30, there were multiple attackers targeting one based on TRON's token (ISERICOIN) launched an attack. The hacker used the contract vulnerability to send a huge amount of ISERICOIN token to his account. The token was put on the KIWIDEX exchange and the transaction has been suspended."
"According to the DVP security team, the incident was caused by the same vulnerability between the ISERICOIN contract and the TRONCRUSH TOKEN contract that had been attacked, so the attacker used the same attack method, as long as the attacker transferred to himself and obtained the additional and transfer amount. Equal amount of tokens."
"On 2019/04/08, PeckShield researchers identified a new type of vulnerability, TransferMint in multiple TRC20 smart contracts, which could be exploited by attackers to mint unlimited tokens. This bug is similar to the ones we identified on ERC20 smart contracts in 2018, such as batchOverflow, proxyOverflow, transferFlaw, and ownerAnyone. However, the TransferMint bug identified on TRC20 contracts is a little bit different from the previous ones."
"According to our data, there are 20+ smart contracts or dapps which are vulnerable to TransferMint. At the time we identified this, PeckShield researchers reported the problem to the owners of those vulnerable TRC20 contracts including Iseri Project"
"When _from == _to, line 81 is overwritten by line 82. Therefore, the balance of _from would be newToVal which is oldToVal + _value or oldFromVal + _value. As a result, you can do balances[_from] = oldFromVal + _value with a _value less than or equal to balances[_from] by a loopback transfer call. That’s the reason we name the loophole TransferMint which leads to arbitrarily increasing the total supply of the token and badly affecting the ecosystem."
"If you were a victim of TBTC, IseriCoin, ReynaToken, ReynaExchange, RET, REYE or REYC please sign our petition at ExitScams.info. There is also instructions of how to file a complaint at.the Securities and Exchange Commission against him. The SEC has helped resolve international crypto scams before. More details at exitscams.info If you know of any other scams he's been a part of please comment. This guy is Tron's STD that needs to go away already."
The smart contract hot wallet of IseriCoin contained a vulnerability which allowed for minting additional coins by attempting to transfer coins to yourself. It is unclear how much the issue was exploited or the end outcome, however the project does not appear to exist anymore.
HOW COULD THIS HAVE BEEN PREVENTED?
The safest way to handle minting of new tokens in a centralized project is through an offline multi-signature arrangement requiring at least 3 of 4 known and trained individuals. Smart contract projects would only be approved after review by two separate validation firms, which in the case of a smart contract would include an audit. In the event a minting vulnerability was missed in both audits, a blockchain rollback would be the ideal solution, and any victims missed in the rollback could appeal to the project or industry insurance fund. Any one of these measures would have avoided the loss.
SlowMist Hacked - SlowMist Zone (Nov 6)
https://www.ibtctrade.com/announcement/1153.html?lang=en (Dec 19)
https://tronscan-org.medium.com/tronscan-weekly-report-apr-15-21-2019-2a8667e6abef (Dec 19)
Trezor Tron Explorer (Dec 19)
https://coin.fyi/news/tron/petition-against-anthony-kudaev-btu6gi (Dec 19)
https://trx.tokenview.com/es/address/TGY1CFHqfyxFezHGeCR9RJnAEpQzMqvqRQ (Dec 19)
Tron Foundation Petition - YouTube (Dec 19)
https://www.change.org/p/tron-foundation-stop-these-exit-scams (Dec 19)
https://web.archive.org/web/20200502032436/https://blog.peckshield.com/2019/04/09/transferMint/ (Dec 19)
TRC20 IRC smart contract · iseri-project/smart-contracts@1c5a0e4 · GitHub (Dec 19)
DAPP trend list: all vulnerability wave fields on EOS may be reproduced Blockchain Network (Dec 19)