Vulnerability Description
An issue was discovered in a smart contract implementation for Virgo_ZodiacToken, an Ethereum token. In this contract, 'bool sufficientAllowance = allowance <= _value' will cause an arbitrary transfer in the function transferFrom because '<=' is used instead of '>=' (which was intended). An attacker can transfer from any address to his address, and does not need to meet the 'allowance > value' condition.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Virgo Zodiactoken Project | Virgo Zodiactoken | - |
Related Weaknesses (CWE)
References
- https://github.com/hellowuzekai/blockchains/blob/master/transferFrom.mdExploitThird Party Advisory
- https://github.com/hellowuzekai/blockchains/blob/master/transferFrom.mdExploitThird Party Advisory
FAQ
What is CVE-2018-14089?
CVE-2018-14089 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in a smart contract implementation for Virgo_ZodiacToken, an Ethereum token. In this contract, 'bool sufficientAllowance = allowance <= _value' will cause an arbitrary transfer...
How severe is CVE-2018-14089?
CVE-2018-14089 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-14089?
Check the references section above for vendor advisories and patch information. Affected products include: Virgo Zodiactoken Project Virgo Zodiactoken.