New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11397, CVE-2018-11398)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities ( batchOverflow[1], proxyOverflow[2], transferFlaw[3], ownerAnyone[4],multiOverflow[5]), burnOverflow[6]), ceoAnyone[7]). Some of them could be used by attackers to generate tokens out of nowhere or steal tokens from legitimate holders, while others can be used to take over the ownership from legitimate contract owner (or administrator).

Today, our system reports a new vulnerability called allowAnyone that affects a number of publicly tradable tokens (including EDU). Because of the vulnerability, attackers can steal valuable tokens (managed by affected, vulnerable smart contracts) from legitimate holders. More specifically, our investigation shows that in those vulnerable smart contracts, the ERC20 standard API,transferFrom(), has an issue when checking the allowed[ ][ ] storage, which typically represents the amount of tokens that _from allows msg.sender to use. As a result, anyone can transfer tokens on behalf of another one who has non-zero balance.

Figure 1: An allowAnyone-affected Smart Contract

We show in Figure 1 the vulnerable  transferFrom  function. Notice that the only appearance of allowed[ ][ ]  is a subtraction operation in line 81. Because the  SafeMath  subtraction is not used here, the simple math operation would not  revert  when  allowed[_from][msg.sender]  is less than _value . In addition,  allowed[_from][msg.sender]  is not checked at all throughout the function. As a result, we can choose a random token holder as  _from  and transfer tokens to an arbitrary address.

Figure 2: An Experimental Attack

In a safe transferFrom implementation, checking the allowance is essential and is typically the case in a number of reference ERC20 transferFrom() implementation. (Otherwise, it would be a stealFrom() implementation!) On the other hand, SafeMath again proves itself as a solid library since it can even cover the missed allowance check logic in this case. As always, make sure you use it in all smart contracts that have arithmetic operations!

We have notified a number of affected development teams and a few major cryptocurrency exchanges have taken preventative actions to suspend relevant deposit and withdrawal operations. In the meantime, we closely monitor latest development. Affected development teams are strongly encouraged to contract us and we are willing to offer any necessary help!