CVE-2018-17111
Vendor
Coinlancer (CL) token
Vulnerability Type
Access Control
Abstract
We found a vulnerability in smart contract of Coinlancer which is an Ethereum ERC-20 token. This token misused the modifier onlyOwner() which results to potential access control vulnerability.
Details
Coinlancer is a Ethereum ERC-20 token which embraces blockchain technology to help you keep up with the trend of freelancing. You can buy the token in several exchanges such as Mercatox, Cryptopia and Yobit.
Figure 1. Coinlancer's Market Capitalization
The onlyOwner modifier of a smart contract implementation for Coinlancer (CL), an Ethereum ERC20 token, has a potential access control vulnerability. All contract users can access functions that use this onlyOwner modifier, because the comparison between msg.sender and owner is incorrect.
// Functions with this modifier can only be executed by the owner
modifier onlyOwner() {
require(msg.sender != owner); {
}
_;
}
Coinlancer is ranked at 851 in coinmarketcap market capitalization.(07:05 / 2018-08-05 UTC) It is traded on multiple exchanges, but there are several problems in the code, such as using insignificant parentheses, and not checking the modifier properly (line 55).
Exploit
This bug is not exploitable, because the code does not use this modifier. However, when developing other tokens, reuse of the code is likely to be dangerous.
Conclusion
Logic bugs, such as access controls, are particularly difficult to capture with automation tools, so developers have to develop conditional statements carefully.
Also, we are wondering if Coinlancer is developing securely because they did not even audit the token contract code. In fact, many code reuse vulnerabilities occur when developing ethereum tokens. As mentioned earlier, an Access Control vulnerability may arise when using this code to develop other tokens.
Reference
Official Website
Marketcap
https://coinmarketcap.com/currencies/coinlancer/
Explorer
https://etherscan.io/address/0xe81d72d14b1516e68ac3190a46c93302cc8ed60f#code
Github
Discoverer
Team Code4Block