New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018–11397, CVE-2018–11398)
Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow[1], proxyOverflow[2], transferFlaw[3],ownerAnyone[4], multiOverflow[5]), burnOverflow[6]), ceoAnyone[7]). Some of them could be used by attackers to generate tokens out of nowhere or steal tokens from legitimate holders, while others can be used to take over the ownership from legitimate contract owner (or administrator).
Today, our system reports a new vulnerability called allowAnyone that affects a number of publicly tradable tokens (including EDU). Because of the vulnerability, attackers can steal valuable tokens (managed by affected, vulnerable smart contracts) from legitimate holders. More specifically, our investigation shows that in those vulnerable smart contracts, the ERC20 standard API,transferFrom(), has an issue when checking the allowed[ ][ ] storage, which typically represents the amount of tokens that _from allows msg.sender to use. As a result, anyone can transfer tokens on behalf of another one who has non-zero balance.
We show in Figure 1 the vulnerable transferFrom function. Notice that the only appearance of allowed[ ][ ] is a subtraction operation in line 81. Because the SafeMath subtraction is not used here, the simple math operation would not revert when allowed[_from][msg.sender] is less than _value. In addition, allowed[_from][msg.sender] is not checked at all throughout the function. As a result, we can choose a random token holder as _from and transfer tokens to an arbitrary address.
Figure 2: An Experimental Attack
In a safe transferFrom implementation, checking the allowance is essential and is typically the case in a number of reference ERC20 transferFrom() implementation. (Otherwise, it would be a stealFrom() implementation!) On the other hand, SafeMath again proves itself as a solid library since it can even cover the missed allowance check logic in this case. As always, make sure you use it in all smart contracts that have arithmetic operations!
We have notified a number of affected development teams and a few major cryptocurrency exchanges have taken preventative actions to suspend relevant deposit and withdrawal operations. In the meantime, we closely monitor latest development. Affected development teams are strongly encouraged to contract us and we are willing to offer any necessary help!
About US
PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquires (e.g., smart contract auditing), please contact us at telegram(t.me/peckshield), twitter, or email(contact@peckshield.com).
References
- [1] PeckShield: New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10299), April 22, 2018
- [2] PeckShield: New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10376), April 25, 2018
- [3] PeckShield: Your Tokens Are Mine: A Suspicious Scam Token in A Top Exchange, April 28, 2018
- [4] PeckShield: New ownerAnyone Bug Allows For Anyone to ‘‘Own’’ Certain ERC20-Based Smart Contracts (CVE-2018–10705), May 03, 2018
- [5] PeckShield: New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018–10706), May 10, 2018
- [6] PeckShield: New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018–11239), May 18, 2018
- [7] PeckShield: New ceoAnyone Bug Identified in Multiple Crypto Game Smart Contracts (CVE-2018–11329), May 21, 2018