Civil / Fanqian Qian origin / PANews
Recently, does PeckShield of company of security of area piece catenary discover a kind of new-style intelligence agreement is safe flaw " EvilRe? Ex " , aggressor can pass the Token that deposits in account of public address of interface filch agreement.
PeckShield expresses, this kind of flaw allows aggressor to use aleatoric parameter to call any agreement addresses from the agreement of existence flaw, aggressor can have the limits of authority that is equal with agreement address immediately. In certain intelligence agreement, agreement address itself is used at the purpose of accredit likely, namely partial prerogative operation can be initiated by agreement address only, this means aggressor to also can execute operation of this part prerogative. From the point of another angle, if be put in the agreement address of this flaw to happen to have certain increase secret number capital, aggressor is OK easily filch these asset.
Disclose according to PeckShield researcher, already discovered 10 several Token to suffer this flaw to affect at present, among them partial Token already traded in the line on certain and top class bourse. PeckShield already was reported to relevant bourse and assist repair this problem.
On June 24 afternoon, igneous money net issues announcement, to protect user asset, suspensive 18T and GVE fill the professional work that raise money.
Additional, trading Token has been atttacked, the token that causes at least 100 above by pilfer. PeckShield is in and the project of these token square and bourse gets in touch, and assist their rehabilitate this problem.
PeckShield expresses, researcher discovers this flaw before a month about, in view of the sensitivity of the problem and seriousness, relevant flaw details must be in after cooperating with with main bourse, ability gives open. Meanwhile, @ is invisible the person is really busy the principle that waited for researcher to ever described this kind of flaw, spread out as case with ERC223 agreement discuss.
Up to now, peckShield already discovered flaw of a variety of serious intelligent agreement safety through flaw scanning system.
April the last ten-day of a month, peckShield discovers the new batch in contract of many ERC20 intelligence spills over (BatchOverflow) spill over with the representative (ProxyOverflow) mistake, exploit this loophole, aggressor can generate a large number of token out of thin airly. A few in the future, the move loophole with PeckShield new discovery (TransferFlaw) , aggressor can exploit this loophole from lawful hold person asset of number of the filch in account.
May, peckShield researcher discovered new possessory one (OwnerAnyone) flaw, aggressor can use this flaw to have certain the intelligent contract that is based on ERC20, cause those who get influence intelligence contract possibly even to reject a visit. In the meantime, did its researcher still discover in contract of many ERC20 intelligence new multiple spill over (MultiOver? Ow) spill over with combustion (BurnOver? Ow) mistake, these two flaw and batch spill over with the representative similar, the harm that is atttacked generation is identical also. Additional, peckShield report says, in many a new control one identifies in imposing contract of close game intelligence (CeoAnyone) flaw, exploit this loophole, aggressor can be replaced and control the limits of authority of the administrator. After two days, peckShield discovers new permission again anybody (AllowAnyone) flaw, this flaw can allow token of aggressor purloin other.
In June, peckShield discovers in contract of many ERC20 intelligence new permission is wrong (AllowFlaw) flaw. Additional, peckShield was disclosed trade trap (TradeTrap) the detail of flaw, at present ERC20 token is announced completely in many popular bourse, make they are centralized control no longer or operate, be used easily to buy by intentional person or the token that work off suffers an effect, make negotiant is affected the safety of bourse even by the loss thereby.
