Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-LIST/CVE-2018-17111/
CVE-LIST/CVE-2018-17111/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2018-17111

Vendor

Coinlancer (CL) token

Vulnerability Type

Access Control

Abstract

We found a vulnerability in smart contract of Coinlancer which is an Ethereum ERC-20 token. This token misused the modifier onlyOwner() which results to potential access control vulnerability.

Details

Coinlancer is a Ethereum ERC-20 token which embraces blockchain technology to help you keep up with the trend of freelancing. You can buy the token in several exchanges such as Mercatox, Cryptopia and Yobit.

Figure 1. Coinlancer's Market Capitalization

The onlyOwner modifier of a smart contract implementation for Coinlancer (CL), an Ethereum ERC20 token, has a potential access control vulnerability. All contract users can access functions that use this onlyOwner modifier, because the comparison between msg.sender and owner is incorrect.

     // Functions with this modifier can only be executed by the owner
     modifier onlyOwner() {
         require(msg.sender != owner); {
             
          }
          _;
      }

Coinlancer is ranked at 851 in coinmarketcap market capitalization.(07:05 / 2018-08-05 UTC) It is traded on multiple exchanges, but there are several problems in the code, such as using insignificant parentheses, and not checking the modifier properly (line 55).

Exploit

This bug is not exploitable, because the code does not use this modifier. However, when developing other tokens, reuse of the code is likely to be dangerous.

Conclusion

Logic bugs, such as access controls, are particularly difficult to capture with automation tools, so developers have to develop conditional statements carefully.

Also, we are wondering if Coinlancer is developing securely because they did not even audit the token contract code. In fact, many code reuse vulnerabilities occur when developing ethereum tokens. As mentioned earlier, an Access Control vulnerability may arise when using this code to develop other tokens.

Reference

Official Website

https://www.coinlancer.com/

Marketcap

https://coinmarketcap.com/currencies/coinlancer/

Explorer

https://etherscan.io/address/0xe81d72d14b1516e68ac3190a46c93302cc8ed60f#code

Github

https://github.com/coinlancer

Discoverer

Team Code4Block