BitKeep Confirms Cyber Attack, Loses Over $9 Million in Digital Currencies

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyber attack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies. "With maliciously implanted code, the altered APK led to the leak of user's...

Hackers Steal $200 Million Worth of Cryptocurrency Tokens from BitMart Exchange

Cryptocurrency trading platform BitMart has disclosed a "large-scale security breach" that it blamed on a stolen private key, resulting in the theft of more than $150 million in various cryptocurrencies. The breach is said to have impacted two of its hot wallets on the Ethereum ETH blockchain and...

Cream Finance DeFi Platform Rooked For $29M

Cream Finance is the latest decentralized finance DeFi platform for cryptocurrency trading to take a major financial hit at the hands of hackers, losing nearly $19 million in an attack this week on its “flash loan” feature. The attacker was able to steal nearly $29 million before being discovered...

EPoD: Ethereum Packet of Death (CVE-2018-12018)

PeckShield has so far discovered quite a few critical smart contract vulnerabilities. Besides smart contracts, the Ethereum ecosystem also includes other various components that are equally exposed to possible exploitation. Obviously, one such component is the core of Ethereum, i.e., the underlyi...

Design/Logic Flaw

The approveAndCallcode function of a smart contract implementation for Globalvillage ecosystem GVE, an Ethereum ERC20 token, allows attackers to steal assets e.g., transfer the contract's balances into their account because the callcode i.e., spender.callextraData is not verified, aka the...

Design/Logic Flaw

The approveAndCallcode function of a smart contract implementation for Block 18 18T, an tradable Ethereum ERC20 token, allows attackers to steal assets e.g., transfer the contract's balances into their account because the callcode i.e., spender.callextraData is not verified, aka the "evilReflex"...

CVE-2018-12702

The approveAndCallcode function of a smart contract implementation for Globalvillage ecosystem GVE, an Ethereum ERC20 token, allows attackers to steal assets e.g., transfer the contract's balances into their account because the callcode i.e., spender.callextraData is not verified, aka the...

CVE-2018-12703

The CVE-2018-12703 vulnerability affects the approveAndCallcode flow in Block 18 (18T) ERC20 contracts. The issue is that _spender.call(_extraData) is not verified, enabling an attacker to hijack the callback and trigger arbitrary contract calls from the vulnerable contract. According to the Seeb...

CVE-2018-12702

The approveAndCallcode function of a smart contract implementation for Globalvillage ecosystem GVE, an Ethereum ERC20 token, allows attackers to steal assets e.g., transfer the contract's balances into their account because the callcode i.e., spender.callextraData is not verified, aka the...

CVE-2018-12702

The CVE-2018-12702 entry concerns Globalvillage ecosystem (GVE) ERC20 contracts where approveAndCallcode allows an attacker to hijack a callback via a non-verified _spender.call(_extraData), enabling token transfers from the vulnerable contract (evilReflex). Connected sources describe the mechani...

New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11397, CVE-2018-11398)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5, burnOverflow6, ceoAnyone7. Some of them could be used by attackers to generate tokens out of nowhere ...

New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11239)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to...

New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10376)

On 4/24/2018, 01:17:50 p.m. UTC, PeckShield again detected an unusual MESH token transaction shown in Figure 1. In this particular transaction, someone transferred a large amount of MESH token — 0x8fff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff,ffff 63 f’s to herself...

SMT smart contract integer overflow vulnerability-vulnerability warning-the black bar safety net

! Vulnerability overview SmartMesh Token is based on the Ethereum contract tokens, referred to as SMT. Ethereum is an open source, public, distributed computing platform, SmartMesh tokens contract SmartMeshTokenContract based on ERC20Token standards. The vulnerability occurs in the transfer...