EUVD-2018-11506

Malware in sbrugna...

The Treasury.sol contract changes the address for the different manager contract in one function call.

Lines of code Vulnerability details Impact In a case where either one of the manager addresses the tokenomics, depositiory or dispenser contracts are compromised or deprecated, attempting to replace the compromised manager contract address necessitates an overall replacement of all the other...

lack of an ownership transfer mechanism

Lines of code Vulnerability details Issue: The code does not have a mechanism to transfer ownership of the contract. In the current implementation, once deployed, the contract owner's address cannot be changed. This can be problematic for contract maintenance and security, as it restricts the...

Existing checks with INT_MAX are insufficient such that the contract becomes dysfunctional after initial deployment of some large balance(s)

Lines of code Vulnerability details Impact EvolvingProteus.sol contains a variety of functions which detail the price in tokens to be paid in swaps, withdraws, and deposits. In external functions such as depositGivenInputAmount, as well as internal functions such as checkBalances, there exists a...

The owner is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Similar...

anyone can call initialize() functions which can cause lost of funds and contract ownership

Lines of code Vulnerability details Impact Most of the smart contracts have an initialize function that anyone can call as initialize function visibility is either external or public. This could lead to a race condition when the contract is deployed. At that moment a hacker or attacker could call...

Lack of address check for contract ownership changes

Lines of code Vulnerability details Impact Not Checking for zero address input can cause to lose of ownership by accident . Proof of Concept owner try to change ownership to a zero address and it cause to lose of funds . Tools Used Recommended Mitigation Steps Add a check that address in not zero...

Aurora IDEX Membership(IDXM), ERC20 Token, allows attackers to acquire contract ownership (CVE-2018–10666)

Abstract I found a new vulnerability in smart contract of IDXM Token CVE-2018–106661. Attackers can acquire contract ownership because the setOwner function is delcared as public. A new owner can subsequently bypass intended access restrictions by, for example, calling uploadBalances. Details In...

New ownerAnyone Bug Allows For Anyone to ''Own'' Certain ERC20-Based Smart Contracts (CVE-2018-10705)

This morning, our vulnerability-scanning system at PeckShield identified a new vulnerability named ownerAnyone in certain ERC20-based smart contracts such as AURA, which is deployed by a decentralized banking and finance platform – AURORA. This bug, if successfully exploited, might introduce the...

VulnCheck KEV: CVE-2018-11329

The DrugDealer function of a smart contract implementation for Ether Cartel, an Ethereum game, allows attackers to take over the contract's ownership, aka ceoAnyone. After that, all the digital assets including Ether balance and tokens might be manipulated by the attackers, as exploited in...