Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
71 lines (41 sloc) 2.78 KB

contract address:

PolyAi (AI) https://etherscan.io/address/0x5121e348e897daef1eef23959ab290e5557cf274#code (CVE-2018-17050)

ubstratum (SUB) https://etherscan.io/address/0x12480e24eb5bec1a9d4369cab6a80cad3c0a377a#code (CVE-2018-12511)

BitAseanToken https://etherscan.io/address/0x2a05d22db079bc40c2f77a1d1ff703a56e631cc1#code

Buggyra Coin Zero (BCZERO) https://etherscan.io/address/0xd45247c07379d94904e0a87b4481f0a1ddfa0c64#code

EcoRealEstate (ECOREAL) https://etherscan.io/address/0xb052f8a33d8bb068414eade06af6955199f9f010#code

Fujinto (NTO) https://etherscan.io/address/0x8a99ed8a1b204903ee46e733f2c1286f6d20b177#code

ICO (¢) https://etherscan.io/address/0xa33e729bf4fdeb868b534e1f20523463d9c46bee#code

Internet Node Token (INT) https://etherscan.io/address/0x0b76544f6c413a555f309bf76260d1e02377c02a#code

Nexxus (NXX) https://etherscan.io/address/0x7627de4b93263a6a7570b8dafa64bae812e5c394#code (CVE-2018-18665)

Pylon (PYLNT) https://etherscan.io/address/0x7703c35cffdc5cda8d27aa3df2f9ba6964544b6e#code (CVE-2018-18667)

RemiCoin (RMC) https://etherscan.io/address/0x7dc4f41294697a7903c4027f6ac528c5d14cd7eb#code

SwftCoin (SWFTC) https://etherscan.io/address/0x0bb217e40f8a5cb79adf04e1aab60e5abd0dfc1e#code (CVE-2018-18666)

Target Coin (TGT) https://etherscan.io/address/0x0bb217e40f8a5cb79adf04e1aab60e5abd0dfc1e#code

PolyAi (AI)

function mintToken(address target, uint256 mintedAmount) onlyOwner {
        balanceOf[target] += mintedAmount;
        Transfer(0, owner, mintedAmount);
        Transfer(owner, target, mintedAmount);
    }

The PolyAi token could be arbitrary minted by its creator in function mintToken(). The balanceOf[target] and mintedAmount are a defined as uint, so oprator '+' would definitely result in an integer overflow.

step1:call mintToken and give "0x692a70d2e424a56d2c6c27aa97d1a86395877b3a" 10 tokens

p0

we can see the balance of 0x692a70d2e424a56d2c6c27aa97d1a86395877b3a is 10

step2:call mintToken and give "0x692a70d2e424a56d2c6c27aa97d1a86395877b3a"

p0 115792089237316195423570985008687907853269984665640564039457584007913129639926(2^256 -10) tokens

we can see the balance of 0x692a70d2e424a56d2c6c27aa97d1a86395877b3a is 0 in theabove picture.

By the way, the totalSupply is not operated everytime mintToken is called."

Substratum (SUB) & BitAseanToken

 function mintToken(address target, uint256 mintedAmount) onlyOwner {
        balanceOf[target] += mintedAmount;
        totalSupply += mintedAmount;
        Transfer(0, this, mintedAmount);
        Transfer(this, target, mintedAmount);
    }

the exploit process is same as the first one