[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] erc20 contract KoreaShow bug
From: Qinghao Tang <luodalongde () gmail ! com>
Date: 2018-05-10 15:56:15
Message-ID: CAPcZBq6kE2r-_-XKy22dNsbcKjjds=d2b=kBpMprN84oV63r_Q () mail ! gmail ! com
[Download RAW message or body]
An integer overflow in the transferMulti function of a smart contract
implementation for KoreaShow, an Ethereum ERC20 token, allows attackers to
accomplish an unauthorized increase of digital assets via crafted _value
parameters.
------------------------------------------------------------
Let`s see where this issue is:
function transferMulti(address[] _to, uint256[] _value) public returns
(uint256 amount){
require(_to.length == _value.length);
uint8 len = uint8(_to.length);
for(uint8 j; j<len; j++){
amount += _value[j]; <------here, crafted _value can make
amount overflow
}
require(balanceOf[msg.sender] >= amount);
for(uint8 i; i<len; i++){
address _toI = _to[i];
uint256 _valueI = _value[i];
balanceOf[_toI] += _valueI;
balanceOf[msg.sender] -= _valueI;
Transfer(msg.sender, _toI, _valueI);
}
}
---------------------------------------------------------------
If you can reproduce the issues , please give it a cve id ,and disclosure
this vulneralbility officially claiming that " Qinghao Tang " is the
discoverer .
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic