Category Archives: Blockchain

Ethereum carrier Solidity shield – Call abuse vulnerability (CVE-2018-14087)

An Integer Overflow is the condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. Ethereum hits such vulnerability in frequent. The solidity programming language rescue Ethererum in the cryptocurrency world. But no prefect things in the world. A vulnerability found on Ethereum EUC token recently. The EUC token build by solidity programming language. The guru given his nick name “call abused” vulnerability. For details, please see below hyperlink for references.

Ethereum EUC Token (call abused) – CVE-2018-14087

https://github.com/rootclay/Audit-of-smart-contracts/tree/master/0x8810C63470d38639954c6B41AaC545848C46484a

Additional information – Ethereum integer overflow vulnerabilities

Ethereum aditus token (CV-2018-12959):

https://github.com/hellowuzekai/blockchains/blob/master/overflow2.md

Ethereum mkcb_token:

https://github.com/hellowuzekai/blockchains/blob/master/README.md

Ethereum singaporecoinorigin token:

https://github.com/hellowuzekai/blockchains/blob/master/overflow1.md

Ethereum stex white list token:

https://github.com/hellowuzekai/blockchains/blob/master/overflow3.md

Ethereum tracto token:

https://github.com/tracto2/Tracto-ERC20/issues/1

Ethereum virgo zodiactoken token:

https://github.com/hellowuzekai/blockchains/blob/master/transferFrom.md

Not belongs to integer overflow vulnerability:

Ethereum userwallet 0x0a7bca9fb7af-f26c6ed8029b-b6f0f5d291587c42 token:

https://github.com/hellowuzekai/blockchains/blob/master/delegatecall.md

Integer overflow weakness similar kill the Ethereum. But SafeMath to protect from overflows.

Integer overflow weakness similar kill the Ethereum – for more details, please see below (url):

Jul 2018 – Integer overflow may killed Ethereum!

But SafeMath to protect from overflows.

c >= a causes integer overflow happen

arithmetic: c=a+b-M (where M = 2**256 is the max unit256 plus one)

If c >=a replace to get a + b -M >=a

Cancelling and recording terms and get b >= M

Result: b is a uint256 and thus b < M

write an algebraic expression in a certain order. We start with the terms that have the largest exponents and work our way down to the constants. Using the commutative property of addition, we can rearrange the terms and put this expression in correct order, like this.

Reference:
Before you evaluate an algebraic expression, you need to simplify it. This will make all your calculations much easier. Here are the basic steps to follow to simplify an algebraic expression:

remove parentheses by multiplying factors
use exponent rules to remove parentheses in terms with exponents
combine like terms by adding coefficients
combine the constants

http://www.math.com/school/subject2/lessons/S2U2L5DP.html

How does the SafeMath library of OpenZeppelin protect your code from integer overflow?

https://ethereum.stackexchange.com/questions/38525/how-does-the-safemath-library-of-openzeppelin-protect-your-code-from-integer-ove?rq=1

Jul 2018 – Integer overflow may killed Ethereum!

 

Quote:
Attacker passes int greater than max (positive)
–> value wraps around to the min (negative!)

Can cause unexpected program behavior, possible buffer overflow exploits

The existing market cap of Ether (ETH) is more than Ripple and Litecoin, although it’s far behind Bitcoin (BTC). Ethereum contains potential market power. But integer overflow is the enemy of Ethereum. It is possible to scare the investor when related incident occurs.

What is the modulus in math?
Notice that the numbers on the clock go up to twelve, and then they start over.
In mathematics, this circular counting is called modular arithmetic, and the number 12 in this example is called a modulus.

Above theory bring  an idea that when modulus reach limit then it will reset to zero.

For instance, the owner of the smartcontract could set sellPrice and buyPrice using setPrices() function. For example, after some transactions, the owner could set sellPrice to 0x8000000000000000000000000000000000000000000000000000000000000000 (modulus). When some user wanted to sell 2 ETCBKs for ETHs back,amount * sellPrice equals 0. Thus the seller gave out 2 ETCBKs but none ETHs was retrieved. The contract still kept it, which makes this token unsafe. An overflow condition gives incorrect results and, particularly if the possibility has not been anticipated, can compromise a program’s reliability and security.

Theoretically, the programming language contain “Safe Math” can protect integer overflow/underflow won’t happen.

Below table of contents displayed the Integer overflow handling status in various programming languages.

 

Integer overflow handling in various programming languages
Language
Unsigned integer Signed integer
Ada modulo the type’s modulus raise Constraint_Error
C/C++ modulo power of two undefined behavior
C# modulo power of 2 in unchecked context; System.OverflowException is raised in checked cont
Java N/A modulo power of two
JavaScript all numbers are double-precision floating-point
MATLAB Builtin integers saturate. Fixed-point integers configurable to wrap or saturate
Python 2 N/A convert to long type (bigint)
Seed7 N/A raise OVERFLOW_ERROR
Scheme N/A convert to bigNum
Simulink configurable to wrap or saturate
Smalltalk N/A convert to LargeInteger
Swift Causes error unless using special overflow operato

This could happen whenever you are doing arithmetic operations such as + , – , * . When using the SafeMath library, the results of this operations will be checked and an error will be thrown stopping the execution of your smart contract.

Solidity can doing the magic

With Solidity feature, you can call the public functions defined by your library.  The SafeMath library to protect from inputs that could make your contract do unexpected things after overflow or underflow leading arithmetic operations.

Perhaps former cryptocurrency not used Solidity library and there it is possible let attacker conduct the integer overflow attacks. Below is the most update CVE status on Jul 2018.

 

ethereum — aichain_token The mintToken function of a smart contract implementation for AIChain, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13175 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/AIChain
ethereum — air-contact_token The mintToken function of a smart contract implementation for Air-Contact Token (AIR), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13179 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/AirContactToken
ethereum — alex_token The mintToken function of a smart contract implementation for ALEX, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13162 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ALEX%20%28ALEX%29
ethereum — appcoins_token The mintToken function of a smart contract implementation for appcoins (APPC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13185 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/appcoins
ethereum — assettoken The mintToken function of a smart contract implementation for AssetToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13158 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/AssetToken
ethereum — athleticoin_token The mintToken function of a smart contract implementation for AthletiCoin (ATHA), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13166 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/AthletiCoin
ethereum — atlant_token ATLANT (ATL) is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-11429 https://github.com/dwfault/AirTokens/tree/master/ATLANT
ethereum — azuriontoken The mintToken function of a smart contract implementation for AzurionToken (AZU), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13068 https://github.com/VenusADLab/EtherTokens/blob/master/AzurionToken/AzurionToken.md
ethereum — bankcoin_token The mintToken function of a smart contract implementation for bankcoin (BNK), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13159 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/bankcoin
ethereum — betcash_token The mintToken function of a smart contract implementation for Betcash (BC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13076 https://github.com/VenusADLab/EtherTokens/blob/master/Betcash/Betcash.md
ethereum — bitotal_token Bitotal (TFUND) is a smart contract running on Ethereum. The mintTokens function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13130 https://github.com/dwfault/AirTokens/tree/master/Bitotal
ethereum — bittelux_token The transfer and transferFrom functions of a smart contract implementation for Bittelux (BTX), an Ethereum token, have an integer overflow. CVE-2018-13326 https://github.com/safecomet/EtherTokens/blob/master/Bittelux%20%28BTX%29/Bittelux%20%28BTX%29.md
ethereum — bonustoken The mintToken function of a smart contract implementation for bonusToken (BNS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13156 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/bonusToken
ethereum — bzxcoin_token The mintToken function of a smart contract implementation for bzxcoin (BZX), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13172 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/bzxcoin
ethereum — carbon_exchange_coin_token The mintToken function of a smart contract implementation for Carbon Exchange Coin Token (CEC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13075 https://github.com/VenusADLab/EtherTokens/blob/master/CarbonExchangeCoinToken/CarbonExchangeCoinToken.md
ethereum — ccindex10_token The mintToken function of a smart contract implementation for CCindex10 (T10), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13071 https://github.com/VenusADLab/EtherTokens/blob/master/CCindexToken/CCindexToken.md
ethereum — chuchulingaigo_token The transfer and transferFrom functions of a smart contract implementation for ChuCunLingAIGO (CCLAG), an Ethereum token, have an integer overflow. CVE-2018-13327 https://github.com/safecomet/EtherTokens/blob/master/ChuCunLingAIGO%20%28CCLAG%29/ChuCunLingAIGO%20%28CCLAG%29.md
ethereum — cibn_live_token The mintToken function of a smart contract implementation for CIBN Live Token (CIBN LIVE), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13187 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/CIBNLiveInteractiveToken
ethereum — coffeecoin_token The mintToken function of a smart contract implementation for Coffeecoin (COFFEE), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13072 https://github.com/VenusADLab/EtherTokens/blob/master/Coffeecoin/Coffeecoin.md
ethereum — coinstar_token The mintToken function of a smart contract implementation for Coinstar (CSTR), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13087 https://github.com/VenusADLab/EtherTokens/blob/master/MyAdvancedToken/MyAdvancedToken.md
ethereum — cointoken The sell function of a smart contract implementation for CoinToken, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13217 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/CoinToken
ethereum — cranoo_token The mintToken function of a smart contract implementation for Cranoo (CRN), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13195 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/CranooAdvanced
ethereum — crowdnext_token The sell function of a smart contract implementation for Crowdnext (CNX), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13228 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Crowdnext
ethereum — cryptoabs_token The mintToken function of a smart contract implementation for CryptoABS (ABS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13174 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/CryptoABS
ethereum — cryptonitexcoin_token The mintToken function of a smart contract implementation for CryptonitexCoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13157 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/CryptonitexCoin
ethereum — ctb_token The mintToken function of a smart contract implementation for CTB, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13077 https://github.com/VenusADLab/EtherTokens/blob/master/CTB/CTB.md
ethereum — dateme_token The sell function of a smart contract implementation for DateMe (DMX) (Contract Name: ProgressiveToken), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13200 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ProgressiveToken
ethereum — destineed_token The sell function of a smart contract implementation for DestiNeed (DSN), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13230 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/DestiNeedToken
ethereum — dvchain_token The mintToken function of a smart contract implementation for DVChain, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13190 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/DVChain
ethereum — dychain_token The mintToken function of a smart contract implementation for DYchain (DYC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13069 https://github.com/VenusADLab/EtherTokens/blob/master/DYC/DYC.md
ethereum — easy_trading_token The transfer and transferFrom functions of a smart contract implementation for Easy Trading Token (ETT), an Ethereum token, have an integer overflow. CVE-2018-13113 https://github.com/safecomet/EtherTokens/tree/master/Easy%20Trading%20Token%20%28ETT%29
ethereum — ectoints_token The mintToken function of a smart contract implementation for ECToints (ECT) (Contract Name: ECPoints), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13178 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ECPoints
ethereum — eliteshippertoken The mintToken function of a smart contract implementation for EliteShipperToken (ESHIP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13173 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/EliteShipperToken
ethereum — encryptedtoken The mintToken function of a smart contract implementation for EncryptedToken (ECC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13070 https://github.com/VenusADLab/EtherTokens/blob/master/EncryptedToken/EncryptedToken.md
ethereum — enter_token The sell function of a smart contract implementation for ENTER (ENTR) (Contract Name: EnterToken), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13231 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/EnterToken
ethereum — enter_token The sell function of a smart contract implementation for ENTER (ENTR) (Contract Name: EnterCoin), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13232 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/EnterCoin
ethereum — eppcoin_token The mintToken function of a smart contract implementation for EPPCOIN (EPP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13164 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MyEPPToken
ethereum — ethercash_token The sell function of a smart contract implementation for ETHERCASH (ETC), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13204 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ETHERCASH
ethereum — ethereum_cash_pro_token The mintToken function of a smart contract implementation for Ethereum Cash Pro (ECP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13169 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Ethereum_Cash_Pro_Coin
ethereum — ethereumblack_token The mintToken function of a smart contract implementation for ETHEREUMBLACK (ETCBK), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13073 https://github.com/VenusADLab/EtherTokens/blob/master/ETHEREUMBLACK/ETHEREUMBLACK.md
ethereum — ethereumblack_token The sell function of a smart contract implementation for ETHEREUMBLACK (ETCBK), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13199 https://github.com/BlockChainsSecurity/EtherTokens/blob/master/ETHEREUMBLACK/sell%20integer%20overflow.md
ethereum — ethereumlegit_token The sell function of a smart contract implementation for EthereumLegit, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13212 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/EthereumLegit
ethereum — ethernet_cash_token The mintToken function of a smart contract implementation for Ethernet Cash (ENC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13163 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Ethernet%20Cash%20%28ENC%29
ethereum — etherty_token Etherty Token (ETY) is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13128 https://github.com/dwfault/AirTokens/tree/master/ETY
ethereum — etktokens The mintToken function of a smart contract implementation for etktokens (ETK), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13160 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/etktokens
ethereum — extreme_coin_token The sell function of a smart contract implementation for Extreme Coin (XT) (Contract Name: ExtremeToken), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13221 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ExtremeToken
ethereum — fibtoken The mintToken function of a smart contract implementation for FIBToken (FIB), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13074 https://github.com/VenusADLab/EtherTokens/blob/master/FIBToken/FIBToken.md
ethereum — freecoin_token The mintToken function of a smart contract implementation for FreeCoin (FREE), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13085 https://github.com/VenusADLab/EtherTokens/blob/master/FreeCoin/FreeCoin.md
ethereum — futures_pease_token The mintToken function of a smart contract implementation for Futures Pease (FP), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13088 https://github.com/VenusADLab/EtherTokens/blob/master/TokenERC20/TokenERC20.md
ethereum — gemchain_token The mintToken function of a smart contract implementation for GEMCHAIN (GEM), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13155 https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md
ethereum — gmile_token The sell function of a smart contract implementation for GMile, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13214 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/GMile
ethereum — go_ethereum The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue. CVE-2018-12018 https://github.com/ethereum/go-ethereum/releases/tag/v1.8.11
ethereum — good_time_coin_token The mintToken function of a smart contract implementation for Good Time Coin (GTY), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13084 https://github.com/VenusADLab/EtherTokens/blob/master/GoodTimeCoin/GoodTimeCoin.md
ethereum — goodto_token The mintToken function of a smart contract implementation for GoodTo (GTO), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13079 https://github.com/VenusADLab/EtherTokens/blob/master/GoodTo/GoodTo.md
ethereum — goutex_token The mintToken function of a smart contract implementation for Goutex (GTX), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13080 https://github.com/VenusADLab/EtherTokens/blob/master/Goutex/Goutex.md
ethereum — greenmed_token The sell function of a smart contract implementation for GreenMed (GRMD), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13216 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/GreenMed
ethereum — growchain_token The _sell function of a smart contract implementation for GROWCHAIN (GROW), an Ethereum token, has an integer overflow. CVE-2018-13325 https://github.com/safecomet/EtherTokens/blob/master/GROWCHAIN%20%28GROW%29/GROWCHAIN%20%28GROW%29.md
ethereum — gsi_token The sell function of a smart contract implementation for GSI, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13233 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/GSI
ethereum — gvtoken_genesis_vision GVToken Genesis Vision (GVT) is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-11335 https://github.com/dwfault/AirTokens/tree/master/GVT
ethereum — gzs_token The mintToken function of a smart contract implementation for GZS Token (GZS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13081 https://github.com/VenusADLab/EtherTokens/blob/master/GZSToken/GZSToken.md
ethereum — hentaisolo_token The mintToken function of a smart contract implementation for hentaisolo (HAO), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13193 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/hentaisolo
ethereum — iadowr_coin_token The mintToken function of a smart contract implementation for IADOWR Coin (IAD), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13086 https://github.com/VenusADLab/EtherTokens/blob/master/IADOWR/IADOWR.md
ethereum — ico_dollar_token The sell function of a smart contract implementation for ICO Dollar (ICOD), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13218 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ICODollar
ethereum — imm_coin_token The mintToken function of a smart contract implementation for IMM Coin (IMC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13180 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/IMMCoin
ethereum — javaswaptest_token The mintToken function of a smart contract implementation for JavaSwapTest (JST), an Ethereum token, has an integer overflow. CVE-2018-13145 https://github.com/safecomet/EtherTokens/blob/master/JavaSwapTest%20%28JST%29/JavaSwapTest%20%28JST%29.md
ethereum — jitech_token The mintToken function of a smart contract implementation for Jitech (JTH), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13078 https://github.com/VenusADLab/EtherTokens/blob/master/Jitech/Jitech.md
ethereum — jobscoin_token The mintToken function of a smart contract implementation for Jobscoin (JOB), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13192 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Jobscoin
ethereum — justdcoin_token The mintToken function of a smart contract implementation for JustDCoin (JustD), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13165 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/DCoin
ethereum — jwc_token The mintToken function of a smart contract implementation for JWC, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13183 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/JWCToken
ethereum — ladatoken_token The mintToken function of a smart contract implementation for LadaToken (LDT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13171 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/LadaToken
ethereum — lef_token The mintToken, buy, and sell functions of a smart contract implementation for LEF, an Ethereum token, have an integer overflow. CVE-2018-13146 https://github.com/safecomet/EtherTokens/blob/master/LEF%20%28LEF%29/LEF%20%28LEF%29.md
ethereum — link_platform_token The mint function of a smart contract implementation for Link Platform (LNK), an Ethereum ERC20 token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13041 https://github.com/dwfault/AirTokens/blob/master/Link_Platform__LNK_/mint%20integer%20overflow.md
ethereum — loncoin_token The mintToken function of a smart contract implementation for loncoin (LON), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13182 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/loncoin
ethereum — mavcash_token The sell function of a smart contract implementation for MAVCash, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13220 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MAVCash
ethereum — miningrigrentals_token The mintToken function of a smart contract implementation for MiningRigRentals Token (MRR), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13177 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MiningRigRentalsToken
ethereum — mmtcoin_token The mintToken function of a smart contract implementation for MMTCoin (MMT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13186 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MMTCoinToken
ethereum — modi_token The mintToken function of a smart contract implementation for MODI Token (MODI), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13082 https://github.com/VenusADLab/EtherTokens/blob/master/ModiTokenERC20/ModiTokenERC20.md
ethereum — moneychainnet_token The sell function of a smart contract implementation for MoneyChainNet (MCN), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13227 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MoneyChainNetToken
ethereum — moneytree_token The sell function of a smart contract implementation for MoneyTree (TREE), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13208 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MoneyTreeToken
ethereum — moxyonepresale MoxyOnePresale is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13126 https://github.com/dwfault/AirTokens/tree/master/MoxyOnePresale
ethereum — multigames_token The mintToken function of a smart contract implementation for MultiGames (MLT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13161 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MultiGamesToken
ethereum — mybo_token The sell function of a smart contract implementation for MyBO, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13202 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MyBoToken
ethereum — mybo_token The mintToken function of a smart contract implementation for MyBO, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13188 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MyBoToken
ethereum — mytoken The sell function of a smart contract implementation for MyToken, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13211 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MyToken
ethereum — myylc_token The sell function of a smart contract implementation for MyYLC, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13225 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MyYLCToken
ethereum — nectar_token The sell function of a smart contract implementation for Nectar (NCTR), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13209 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/NectarCoin
ethereum — objecttoken_token The sell function of a smart contract implementation for ObjectToken (OBJ), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13222 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ObjectToken
ethereum — ohni_2_token The sell function of a smart contract implementation for ohni_2 (OHNI), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13205 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Ohni
ethereum — pandora_token The transfer and transferFrom functions of a smart contract implementation for Pandora (PDX), an Ethereum token, have an integer overflow. CVE-2018-13144 https://github.com/safecomet/EtherTokens/blob/master/Pandora%20%28PDX%29/Pandora%20%28PDX%29.md
ethereum — pfgc_token The transfer, transferFrom, and mint functions of a smart contract implementation for PFGc, an Ethereum token, have an integer overflow. CVE-2018-13328 https://github.com/safecomet/EtherTokens/blob/master/PFGc%20%28PFGc%29/PFGc%20%28PFGc%29.md
ethereum — plaza_token The mintToken function of a smart contract implementation for Plaza Token (PLAZA), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13083 https://github.com/VenusADLab/EtherTokens/blob/master/PlazaToken/PlazaToken.md
ethereum — porncoin_token The sell function of a smart contract implementation for PornCoin (PRNC), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13207 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/PornCoin
ethereum — providence_crypto_casino_token The sell function of a smart contract implementation for Providence Crypto Casino (PVE) (Contract Name: ProvidenceCasinoToken), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13210 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ProvidenceCasinoToken
ethereum — providencecasino_token The sell function of a smart contract implementation for ProvidenceCasino (PVE), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13206 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/PVE
ethereum — r_time_token The sell function of a smart contract implementation for R Time Token v3 (RS) (Contract Name: RTokenMain), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13223 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/RTokenMain
ethereum — reimburse_token The mintToken function of a smart contract implementation for Reimburse Token (REIM), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13092 https://github.com/VenusADLab/EtherTokens/blob/master/ReimburseToken/ReimburseToken.md
ethereum — ribtidecoin_token The sell function of a smart contract implementation for RiptideCoin (RIPT), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13229 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/RiptideCoin
ethereum — sample_token The sell function of a smart contract implementation for Sample Token (STK) (Contract Name: cashBackMintable), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13215 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/cashBackMintable
ethereum — snoqualmie_coin_token The mintToken function of a smart contract implementation for Snoqualmie Coin (SNOW), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13170 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/SnoqualmieCoin
ethereum — sp8de_presale_token SP8DE PreSale Token (DSPX) is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13127 https://github.com/dwfault/AirTokens/tree/master/DSPX
ethereum — sp8de_token SP8DE Token (SPX) is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13129 https://github.com/dwfault/AirTokens/blob/master/SPXToken/mint%20interger%20overflow.md
ethereum — spadeico Spadeico is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13132 https://github.com/dwfault/AirTokens/tree/master/SpadeICO
ethereum — spadepresale SpadePreSale is a smart contract running on Ethereum. The mint function has an integer overflow that allows minted tokens to be arbitrarily retrieved by the contract owner. CVE-2018-13131 https://github.com/dwfault/AirTokens/tree/master/SpadePreSale
ethereum — stex_exchange_ico_token The sell function of a smart contract implementation for STeX Exchange ICO (STE), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13198 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/STE
ethereum — sumocoin_token The mintToken function of a smart contract implementation for sumocoin (SUMO), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13091 https://github.com/VenusADLab/EtherTokens/blob/master/sumocoin/sumocoin.md
ethereum — super_carbon_coin_token The mintToken function of a smart contract implementation for Super Carbon Coin (SCC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13191 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/SuperCarbonCoinToken
ethereum — swaptoken_token The sellBuyerTokens function of a smart contract implementation for SwapToken, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13203 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/SwapToken
ethereum — t-swap-token The sell function of a smart contract implementation for T-Swap-Token (T-S-T), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13196 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TSwap
ethereum — titok-ticket_token The sell function of a smart contract implementation for TiTok – Ticket Token (Contract Name: MyAdvancedToken7), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13201 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/MyAdvancedToken7
ethereum — tongtong_coin_token The mintToken function of a smart contract implementation for TongTong Coin (TTCoin), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13194 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TTCoin
ethereum — travelcoin_token The sell function of a smart contract implementation for TravelCoin (TRV), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13213 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TravelCoinToken
ethereum — travelzedi_token The mintToken function of a smart contract implementation for TravelZedi Token (ZEDI), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13184 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TravelZediToken
ethereum — troo_token The mintToken function of a smart contract implementation for Troo, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13181 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/Troo
ethereum — trust_zen_token The mintToken function of a smart contract implementation for Trust Zen Token (ZEN), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13176 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TrustZen
ethereum — universal_coin_token The mintToken function of a smart contract implementation for Universal Coin (UCOIN), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13089 https://github.com/VenusADLab/EtherTokens/blob/master/UCoinToken/UCoinToken.md
ethereum — unolabo_token The mint function of a smart contract implementation for Unolabo (UNLB), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13189 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/UNLB
ethereum — virtual_energy_units_token The sell function of a smart contract implementation for Virtual Energy Units (VEU) (Contract Name: VEU_TokenERC20), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13224 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/TokenERC20
ethereum — welfare_token_fund_token The sell function of a smart contract implementation for Welfare Token Fund (WTF), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13197 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/WelfareTokenFund
ethereum — yitongcoin_token The mintToken function of a smart contract implementation for YiTongCoin (YTC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13090 https://github.com/VenusADLab/EtherTokens/blob/master/YiTongCoin/YiTongCoin.md
ethereum — ylctoken The sell function of a smart contract implementation for YLCToken, an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13226 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/YLCToken
ethereum — yourcoin_token The sell function of a smart contract implementation for YourCoin (ICO) (Contract Name: ETH033), an Ethereum token, has an integer overflow in which “amount * sellPrice” can be zero, consequently reducing a seller’s assets. CVE-2018-13219 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ETH033
ethereum — yu_gi_oh_token The mintToken function of a smart contract implementation for Yu Gi Oh (YGO) (Contract Name: NetkillerBatchToken), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13168 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/NetkillerBatchToken
ethereum — yu_gi_oh_token The mintToken function of a smart contract implementation for Yu Gi Oh (YGO), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value. CVE-2018-13167 https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ygo

 

Vault 7 re-engineering by hacker. They are aim to steal the cryptocurrency.

As far as we know, Notepad++ has been updated to version 7.3.3. It aim to remediate a vulnerability on notepad. Such vulnerability exploit by law enforcement to do the survillance. The specifics annoucement released by WikiLweaks on 2017 so called Vault 7.
Wanna Cry Ransomware technology re-emngineering of Microsoft SMB weakness and jepodizing the world. It wreak havoc in cyber security world in 1st quarter in 2018.
Cryptocurrency technology proud of their design concept and technology and claimed that it can reduced the cyber attack in fundemental concept. The reality is that the total no of data breaches or money losts not less than traditional technology architecture. What’s the root causes let distrbuted technogy demote their cyber security in scanario today.
Per observation, cryptocurrency system limitation occurs in endpoint devices in frequent. From technical point of view, the zero day of attack is hard to avoid in personal computer user end point devices( mobile phone, notebook and desktop). A hints as usual inform cryptocurrency owner stayed alert. As a matter of fact, nowadays antivirus can keep secure of your system. Please make sure your virus signature is up to date.

2.3 Million Cryptocurrency Addresses Monitored by Clipboard Hijacking Malware headline news (see below):

https://www.blockchainnews.buzz/2018/07/01/2-3-million-cryptocurrency-addresses-monitored-by-clipboard-hijacking-malware/

Bitcoin exchanges must remain vigilant to low value coins

Heard that a vulnerability found on cryptocurrency (FuturXE (FXE)). The problem is that smart contact designer make a programming logic mistake. Department of Homeland Security confirm the bug this week. (CVE-2018–12025) – https://nvd.nist.gov/vuln/detail/CVE-2018-12025

The vulnerabilities and cyber attack looks never stop so far. Do you still remember virtual currency exchange Coincheck lost $400 million in NEM cryptocurrency in Jan 2018?

The hack only involved NEM, because the security breach was caused by the lack of strong security measures of Coincheck with regards to their implementation of NEM, lacking the use of mutlisignature support or a cold wallet.

It looks that criminal group will be intereted of low market value cryptocurrency. For instance, CVE-2018-10468 hacker exploits useless token combine with vulnerability steal the token. Coincheck lost $400 million in NEM but the market price of each coin is in lower value.

FutureXE market price equal to zero buy still avaiable to buy on the market. I think this type of coins will be lure criminal group interest. The fact is that this type of coins willl be exploits for money laundering. Since the coin has vulnerability occured, criminal group can hiring hacker to steal the coin and waiting for bitcoin exchanges reimburse the fund to achieve the money laundering objective.

— End —

Hyperledger Iroha v1.0 beta-2 version to remediate CVE-2018-3756 (May 2018)

The earlier generation of blockchain technology empower encryption power let the world know his capability. As times goes by people found the design weakness of blockchain technology is the performance of synchoization of the peer nodes. Such design weakness cause double spending vulnerability. The next generation of technology so called HYPERLEDGER. It enhance the design weakness of blockchain. As a result cryptocurrency especially Ethereum relies on Hyperledger Fabric in demand. A blockchain project developed by several Japanese firms including by startup Soramitsu and IT giant Hitachu has been accepted into the Hyperledger blockchain initiative. A fix has been released by Hyperledger IROHA project two weeks ago. Hyperledger Iroha v1.0 beta-2 version is avaliable for download. The reason is that a critical vulnerabilities discovered during the security audit.

On 2017, Cambodia central bank taps Hyperledger Iroha for blockchain settlement. Perhaps they update to beta 2 already.

Should you have interest to know the detail, please refer below:

Cambodia central bank taps Hyperledger Iroha for blockchain settlement – https://www.cryptoninjas.net/2017/04/20/cambodia-central-bank-taps-hyperledger-iroha-blockchain-settlement/

Beta 2 (download): https://github.com/hyperledger/iroha/releases/tag/v1.0.0_beta-2

See whether Bitcoin signatures do not comply with RFC 6979

Have you heard a song by Dinah Washington ? The song title is what a difference a day made? In crypto currency world, bitcoin is the big brother. However technology world still concerns Bitcore signatures is able to comply with RFC 6979 specification?

Bitcoin owner must protect the private key. The conceptal idea is that generating random number k in elliptic curve is crucial and in any transactions signature in Bitcoin, random number k is required to compute a point k*G. If this k is chosen not randomly, it instantly leaks the private key.

Do you think attached diagram can provide the resolution to you in this regard?

What A Diff’rence A Day Makes Lyrics: What a difference a day made? Twenty-four little hours. Brought the sun and the flowers.Where there used to be rain……..

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA):

https://tools.ietf.org/html/rfc6979

Bitcoin Bunker

We watch the movie, tycoon decide to keep the money in Switzerland. Whatever special of reasons. Swiss made or location provides a secure and best environment to the world. Besides, swiss army knife a symbol of permanent and reliable tool to solider. Just heard from Bloomberg headline news that the Wealthy Are Hoarding $10 Billion of Bitcoin in Bunkers. Zapo similar as a bunker, just operate for 4 years, it has more “deposits” than 98 percent of the roughly 5,670 banks in the U.S. I am interested what is the perfect way to protect your bitcoin. See whether it is a paper wallet instead of electronic. For more details, please refer below url for reference.

The Wealthy Are Hoarding $10 Billion of Bitcoin in Bunkers

https://www.bloomberg.com/news/articles/2018-05-09/bunkers-for-the-wealthy-are-said-to-hoard-10-billion-of-bitcoin

The design weakness of Ethereum

The design weakness of Ethereum

 

The design weakness of Ethereum

 

Preface:

Any idea from you in regards to cryptocurrencies security features at this moment?  From technical point of view, blockchain technology is able to protect the data in the block. Thus hacker is hard to modify the data. It looks a prefect system. As far as we know, crypto currencies platform not secure as expected. But what is the actual problem ?

Refer to above diagram, it explicitly show the design weakness of Ethereum design. Since both smart contract and ethereum wallet has critical vulnerabilities occurred. Since a design weakness occurred in the end point (Ethereum wallet). In additional of the smart contract has vulnerability occurred. And therefore it provides a gut feeling to people crypto currency not indeed safe.

Known Attack

Integer Overflow and Underflow

Definition of integer overflow – If a balance reaches the maximum uint value (2^256) it will circle back to zero. Since the uint variable changes state, If any user can call functions which update the uint value, it’s more vulnerable to attack.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Definition of integer underflow –  If a uint is made to be less than zero, it will cause an underflow and get set to its maximum value.  C-like underflow might affect Solidity storage. It can arbitrarily allow malicious changes to constant variables. Below is the example of uint overflow and underflow.

Remark: What is the largest value you can represent using a 256-bit unsigned integer?

The 256-bit unsigned int (uint) data type can hold integer values in the range of 0 to 11579208923731619542357098500868790785326998466564 0564039457584007913129639935

contract C {
    // (2**256 - 1) + 1 = 0
    function overflow() returns (uint256 _overflow) {
        uint256 max = 2**256 - 1;
        return max + 1;
    }

    // 0 - 1 = 2**256 - 1
    function underflow() returns (uint256 _underflow) {
        uint256 min = 0;
        return min - 1;
    }
}

A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.

In June 2016, users exploited a vulnerability in the DAO code to enable them to siphon off one third of The DAO’s funds to a subsidiary account. On 20 July 2016 01:20:40 PM +UTC at Block 1920000, the Ethereum community decided to hard-fork the Ethereum blockchain to restore virtually all funds to the original contract.

All dependent multi-sig wallets that were deployed after 20th July. No funds can be moved out of the multi-sig wallets afterwards. For more details, please see below:

contract Wallet {
    function () payable {
    Deposit(...)
    }
}

CVE-2018-10666

CVE-2018-10666 – The vulnerability allows attackers to acquire contract ownership because the setOwner function is declared as public. A new owner can subsequently modify variables (see below diagram for reference).

Status update on 22nd May 2018

CVE-2018-11239 – An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in May 2018, aka the “burnOverflow” issue.

CVE-2018-10944 – The request_dividend function of a smart contract implementation for ROC (aka Rasputin Online Coin), an Ethereum ERC20 token, allows attackers to steal all of the contract’s Ether.

Observation:

In regards to the cyber security incident happened in past, the Ethereum system looks did not shown they are capable to protect himself.
Their functionaility may have improvement comparing with traditional bitcoin technology (see below):

Hyperledge Ethereum Bitcoin
Association Linux Foundation Ethereum Developers Bitcoin Developers
Currency N/A Ether BTC
Mining Reward N/A Yes Yes
Network Design goal – Private Design goal – Public Public only
Privacy Private Open Open
Smart Contracts Multiple-programming language C++,Rust and Go i. Bitcoin Core, is written primarily in C++
ii. Lightweight clients like MultiBit and Bitcoin Wallet written in Java

Next step : How to Protecting Yourself and Your Funds

1. One of the safest & easiest ways to store your ETH is use a hardware wallets.

2. Activate 2FA (duh) on any exchanges or online wallet you use.

3. Move your ether off exchanges, into a hardware wallet or paper wallet.

How to view your account balance, look up transaction and explore smart contracts?

Etherchain is an Explorer for the Ethereum blockchain. It allows you to view your account balance, look up transactions and explore smart contracts.

Browse all Ethereum Transactions – https://www.etherchain.org/txs

In God We Trust.

— End —

News update on 14th Aug 2018: An critical vulnerability was found in EETHER.An integer overflow occurs in unprotected distributeToken function. See below details for reference.

https://github.com/rootclay/Audit-of-smart-contracts/blob/master/0x00a0cbe98e4d110b0fa82646152d77babf2951d0/README.md

 

 

 

CVE-2018-10299 – integer overflow jeopardize Ethereum Zone

In the view of cryptocurrency supporter, Ethereum is the best. The cyber incident occured in cryptocurrency world so far shift the security focus to e-wallet (end point). Perhaps the cyrpto platform itself contains design limitation. However the end point design of crypto currency platform looks have more space for improvement.

If you install the MetaMask browser plugin, you can manage your accounts in your browser. The keys are stored only on your browser, so you are the only one who has access to your account and the private key. But when the web browser encounter vulnerability. It may jeopardize your private key. So security urge the crypto currency owner make use of hardware token instead of software.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Return to reality. Below headline news shown the vulnerabilities occurred in Ethereum (see below for reference). I am wishing that above details can provides hints to you for reference.  Let’s us awaken the design weakness of Ethereum cypto currency platform.

Critical EOS Smart Contract Vulnerability Discovered By Auditing Firm

https://bitcoinexchangeguide.com/critical-eos-smart-contract-vulnerability-discovered-by-auditing-firm/