Reason for the REP contract address change



What was the reason behind the recent change in the REP ERC20 token contract address?

Previously when I logged into my wallet, the REP contract address was listed as: 0x48c80F1f4D53D5951e5D5438B54Cba84f29F32a5

Currently, when I view this contract address on Etherscan I am told:

This is the OLD Serpent Augur (REP) Token contract which has since been replaced with 0xe94327d07fc17907b4db788e5adf2ed424addff6

What was the reason for this change?

What do REP owners need to do in response to this?

What happens to REP stored in the old contract address? Is it still usable?


Posted 2017-08-04T16:47:21.260

Reputation: 113



There was a buffer overflow vulnerability in the old Serpent contract. Because of this vulnerability, Serpent’s un-enforced types and how Serpent computes memory addresses, it was possible to increase the timestamp for REP token creation, locking up REP indefinitely, making transfers impossible. More details from Zeppelin Solutions are provided here.

The fix involved a migration from Serpent to Solidity with the following new REP contract address: 0xE94327D07Fc17907b4DB788E5aDf2ed424adDff6

REP owners do not need to do anything. All balances have been migrated to the new contracted address and all known exchanges and wallet providers have already completed the update.

Technically REP still exists in the old Serpent contract address, but because the flaw described above was purposefully triggered by the Augur development team in conjunction with Zeppelin Solutions the REP is inaccessible for 31 billion years


Posted 2017-08-04T16:47:21.260

Reputation: 113