Beijing time will be mixed on August 31 on September 1, certiK safety studies the group discovers Sushiswap copy dish two projects YUNo Finance (YUNO) and KIMCHI.finance (KIMCHI) , its intelligence agreement all is put in flaw. If exploit this loophole, intelligent agreement owner can increase the token number that sends project correspondence without limit, bring about inflation of project finance plan to break down finally.
It is with agreement of the intelligence in Yuno project exemple, certiK safety studies the group added hair flaw indefinitely to this to undertake labor, technicality is as follows:
The MasterChef.sol intelligence agreement in Yuno project the 1354th in, dev method can allow to have the person that the intelligent agreement of Devaddr identity is called currently, devaddr status move gives another the address.
Check scheme out: Https://etherscan.io/
In pursueing below, can see in intelligent agreement 1282 Mint method is by decorate implement OnlyOwner undertakes limitative, decorate implement OnlyOwner decided can be intelligent agreement owner will execute this agreement only.
Above 3 cut pursue all out: Https://etherscan.io/
Have the call person of Devaddr identity, when its identity is Owner identity at the same time fitly, can pass call MasterChef.sol intelligence agreement 1282 Mint method, will add hair token without limit. 1282 Mint method can continue to call 1130 Mint method, continue to call 1044 _mint method by 1130 Mint method, finish token finally to add the operation of hair.
What exist in agreement of Kimichi project intelligence is infinite add hair flaw and above flaw basic and identical, because this is here,do not undertake repetition narrative.
If Owner is mixed if the address of Devaddr is identical, below the case that so outer ministry did not limit to intelligent agreement owner, intelligent agreement owner has the right to add the token that sends aleatoric measure, this will investor park risk in. So does the Devaddr in these two projects mix Yuno and Kimichi whether is Owner same person? Whether to have other and exterior restrict a mechanism to you can restrict the intelligent agreement owner of these two projects?
The address that Devaddr and Owner capacity have in issueing a graph to be agreement of intelligence of Yuno project MasterChef.sol (end Beijing time is late on September 1 at 11 o'clock) .
Check scheme out: Https://etherscan.io/
The address that Devaddr and Owner capacity have in agreement of intelligence of the KimchiChef.sol in issueing a graph to be Kimichi project (end Beijing time is late on September 1 at 11 o'clock) .
Check scheme out: Https://etherscan.io/
Can see from inside on two graphs, the address that Devaddr and Owner capacity have in Yuno project is same, because owner of this its intelligence agreement has the right,undertake absoluteness token is added hair. And Devaddr and Owner identity are had to differ in Kimichi project, but can undertake transferring as a result of the identity of Devaddr, because this also is put in particular risk.
At present measureAdd hair flaw indefinitely to won't be sparked to ensure, to Yuno and Kimichi the intelligent agreement owner of two projects must by exterior undertake limitative. The limitative condition that has carried out currently and Sushiswap project are consistent, operate to any intelligent agreement that have by intelligent agreement owner namely, all have delay of 48 hours. Any operations that come from intelligent agreement owner can be observed by all investor, 48 hours undertake answering operating.
CertiK safe group suggestsCurrent DeFi and relevant Farming item are unusually hot, because project of area piece catenary makes public a gender to have a demand to project code, because the line on this is new project doorsill is extremely low. If draw lessons from other item blindly, aleatoric flaw is introduced possibly in the project. Because this is in on the project before the line, should have strict safe audit to the project.
From investor angle, current Farming project at every turn the return rate of hundred, make investor extremely easily have blind investment below the case that did not have adequate knowledge to project itself. For example SushiSwap, yuno and Kimchi3 the project all did not pass rigorous safe test and verify to go up quickly line. Investor may be puzzled by tremendous interest redound, will precious capital is thrown in the intelligent agreement that has great risk.
