IseriCoin Contract Mint Vulnerability: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/isericoincontractmintvulnerability.php}} The smart contract hot wallet of IseriCoin contained a vulnerability which allowed for minting additional coins by attempting to transfer coins to yourself. It is unclear how much the issue was exploited or the end outcome, however the project does not appear to exist anymore. This is a global/international case not involving a specific country. == About...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/isericoincontractmintvulnerability.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/isericoincontractmintvulnerability.php}} | ||
{{Unattributed Sources}} | |||
The smart contract hot wallet of IseriCoin contained a vulnerability which allowed for minting additional coins by attempting to transfer coins to yourself. It is unclear how much the issue was exploited or the end outcome, however the project does not appear to exist anymore. | The smart contract hot wallet of IseriCoin contained a vulnerability which allowed for minting additional coins by attempting to transfer coins to yourself. It is unclear how much the issue was exploited or the end outcome, however the project does not appear to exist anymore. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country. | ||
<ref name="slowmisthacked-4584" /><ref name="ibtctrade-4585" /><ref name="tronscanorgmedium-4586" /><ref name="addresstelegram-4587" /><ref name="coinfyi-4588" /><ref name="tokenviewtrx-4589" /><ref name="youtube-4590" /><ref name="changedotorg-4591" /><ref name="peckshieldblogarchive-4592" /><ref name="iseriprojectgithub-4593" /><ref name="blockingdotnet-4583" /> | |||
== About IseriCoin == | == About IseriCoin == | ||
| Line 35: | Line 37: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 57: | Line 58: | ||
|- | |- | ||
|April 9th, 2019 12:00:00 AM | |April 9th, 2019 12:00:00 AM | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 81: | Line 78: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
The total amount recovered is unknown. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 92: | Line 89: | ||
== References == | == References == | ||
[https://hacked.slowmist.io/en/?c=Tron&page=2 SlowMist Hacked - SlowMist Zone] (Nov 5) | <references><ref name="slowmisthacked-4584">[https://hacked.slowmist.io/en/?c=Tron&page=2 SlowMist Hacked - SlowMist Zone] (Nov 5, 2021)</ref> | ||
[https://www.ibtctrade.com/announcement/1153.html?lang=en https://www.ibtctrade.com/announcement/1153.html?lang=en] (Dec 18) | <ref name="ibtctrade-4585">[https://www.ibtctrade.com/announcement/1153.html?lang=en https://www.ibtctrade.com/announcement/1153.html?lang=en] (Dec 18, 2021)</ref> | ||
[https://tronscan-org.medium.com/tronscan-weekly-report-apr-15-21-2019-2a8667e6abef https://tronscan-org.medium.com/tronscan-weekly-report-apr-15-21-2019-2a8667e6abef] (Dec 18) | <ref name="tronscanorgmedium-4586">[https://tronscan-org.medium.com/tronscan-weekly-report-apr-15-21-2019-2a8667e6abef https://tronscan-org.medium.com/tronscan-weekly-report-apr-15-21-2019-2a8667e6abef] (Dec 18, 2021)</ref> | ||
[https://blockbook-tron.tronwallet.me/address/THbuksvRtZYXBw3wde681FkGEBaoDCWJAf Trezor Tron Explorer] (Dec 18) | <ref name="addresstelegram-4587">[https://blockbook-tron.tronwallet.me/address/THbuksvRtZYXBw3wde681FkGEBaoDCWJAf Trezor Tron Explorer] (Dec 18, 2021)</ref> | ||
[https://coin.fyi/news/tron/petition-against-anthony-kudaev-btu6gi https://coin.fyi/news/tron/petition-against-anthony-kudaev-btu6gi] (Dec 18) | <ref name="coinfyi-4588">[https://coin.fyi/news/tron/petition-against-anthony-kudaev-btu6gi https://coin.fyi/news/tron/petition-against-anthony-kudaev-btu6gi] (Dec 18, 2021)</ref> | ||
[https://trx.tokenview.com/es/address/TGY1CFHqfyxFezHGeCR9RJnAEpQzMqvqRQ https://trx.tokenview.com/es/address/TGY1CFHqfyxFezHGeCR9RJnAEpQzMqvqRQ] (Dec 18) | <ref name="tokenviewtrx-4589">[https://trx.tokenview.com/es/address/TGY1CFHqfyxFezHGeCR9RJnAEpQzMqvqRQ https://trx.tokenview.com/es/address/TGY1CFHqfyxFezHGeCR9RJnAEpQzMqvqRQ] (Dec 18, 2021)</ref> | ||
[https://www.youtube.com/watch?v=F7pgu28FvGI Tron Foundation Petition - YouTube] (Dec 18) | <ref name="youtube-4590">[https://www.youtube.com/watch?v=F7pgu28FvGI Tron Foundation Petition - YouTube] (Dec 18, 2021)</ref> | ||
[https://www.change.org/p/tron-foundation-stop-these-exit-scams https://www.change.org/p/tron-foundation-stop-these-exit-scams] (Dec 18) | <ref name="changedotorg-4591">[https://www.change.org/p/tron-foundation-stop-these-exit-scams https://www.change.org/p/tron-foundation-stop-these-exit-scams] (Dec 18, 2021)</ref> | ||
[https://web.archive.org/web/20200502032436/https://blog.peckshield.com/2019/04/09/transferMint/ https://web.archive.org/web/20200502032436/https://blog.peckshield.com/2019/04/09/transferMint/] (Dec 18) | <ref name="peckshieldblogarchive-4592">[https://web.archive.org/web/20200502032436/https://blog.peckshield.com/2019/04/09/transferMint/ https://web.archive.org/web/20200502032436/https://blog.peckshield.com/2019/04/09/transferMint/] (Dec 18, 2021)</ref> | ||
[https://github.com/iseri-project/smart-contracts/commit/1c5a0e46d350baec80216478d4a6c5e99b614cce TRC20 IRC smart contract · iseri-project/smart-contracts@1c5a0e4 · GitHub] (Dec 18) | <ref name="iseriprojectgithub-4593">[https://github.com/iseri-project/smart-contracts/commit/1c5a0e46d350baec80216478d4a6c5e99b614cce TRC20 IRC smart contract · iseri-project/smart-contracts@1c5a0e4 · GitHub] (Dec 18, 2021)</ref> | ||
[https://blocking.net/1638/dapp-trend-list-all-vulnerability-wave-fields-on-eos-may-be-reproduced/ DAPP trend list: all vulnerability wave fields on EOS may be reproduced Blockchain Network] (Dec 19) | <ref name="blockingdotnet-4583">[https://blocking.net/1638/dapp-trend-list-all-vulnerability-wave-fields-on-eos-may-be-reproduced/ DAPP trend list: all vulnerability wave fields on EOS may be reproduced Blockchain Network] (Dec 19, 2021)</ref></references> | ||
Revision as of 00:00, 21 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The smart contract hot wallet of IseriCoin contained a vulnerability which allowed for minting additional coins by attempting to transfer coins to yourself. It is unclear how much the issue was exploited or the end outcome, however the project does not appear to exist anymore.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11]
About IseriCoin
"IseriCoin is a secure collaboration platform powered by TRON Foundation. All protected with end2end encryption."
"Today, the DVP blockchain security monitoring system TRONEYE detected an attack: during 2019-04-08 19:23:12 to 2019-04-09 12:21:30, there were multiple attackers targeting one based on TRON's token (ISERICOIN) launched an attack. The hacker used the contract vulnerability to send a huge amount of ISERICOIN token to his account. The token was put on the KIWIDEX exchange and the transaction has been suspended."
"According to the DVP security team, the incident was caused by the same vulnerability between the ISERICOIN contract and the TRONCRUSH TOKEN contract that had been attacked, so the attacker used the same attack method, as long as the attacker transferred to himself and obtained the additional and transfer amount. Equal amount of tokens."
"On 2019/04/08, PeckShield researchers identified a new type of vulnerability, TransferMint in multiple TRC20 smart contracts, which could be exploited by attackers to mint unlimited tokens. This bug is similar to the ones we identified on ERC20 smart contracts in 2018, such as batchOverflow, proxyOverflow, transferFlaw, and ownerAnyone. However, the TransferMint bug identified on TRC20 contracts is a little bit different from the previous ones."
"According to our data, there are 20+ smart contracts or dapps which are vulnerable to TransferMint. At the time we identified this, PeckShield researchers reported the problem to the owners of those vulnerable TRC20 contracts including Iseri Project"
"When _from == _to, line 81 is overwritten by line 82. Therefore, the balance of _from would be newToVal which is oldToVal + _value or oldFromVal + _value. As a result, you can do balances[_from] = oldFromVal + _value with a _value less than or equal to balances[_from] by a loopback transfer call. That’s the reason we name the loophole TransferMint which leads to arbitrarily increasing the total supply of the token and badly affecting the ecosystem."
"If you were a victim of TBTC, IseriCoin, ReynaToken, ReynaExchange, RET, REYE or REYC please sign our petition at ExitScams.info. There is also instructions of how to file a complaint at.the Securities and Exchange Commission against him. The SEC has helped resolve international crypto scams before. More details at exitscams.info If you know of any other scams he's been a part of please comment. This guy is Tron's STD that needs to go away already."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| April 9th, 2019 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
The safest way to handle minting of new tokens in a centralized project is through an offline multi-signature arrangement requiring at least 3 of 4 known and trained individuals. Smart contract projects would only be approved after review by two separate validation firms, which in the case of a smart contract would include an audit. In the event a minting vulnerability was missed in both audits, a blockchain rollback would be the ideal solution, and any victims missed in the rollback could appeal to the project or industry insurance fund. Any one of these measures would have avoided the loss.
References
- ↑ SlowMist Hacked - SlowMist Zone (Nov 5, 2021)
- ↑ https://www.ibtctrade.com/announcement/1153.html?lang=en (Dec 18, 2021)
- ↑ https://tronscan-org.medium.com/tronscan-weekly-report-apr-15-21-2019-2a8667e6abef (Dec 18, 2021)
- ↑ Trezor Tron Explorer (Dec 18, 2021)
- ↑ https://coin.fyi/news/tron/petition-against-anthony-kudaev-btu6gi (Dec 18, 2021)
- ↑ https://trx.tokenview.com/es/address/TGY1CFHqfyxFezHGeCR9RJnAEpQzMqvqRQ (Dec 18, 2021)
- ↑ Tron Foundation Petition - YouTube (Dec 18, 2021)
- ↑ https://www.change.org/p/tron-foundation-stop-these-exit-scams (Dec 18, 2021)
- ↑ https://web.archive.org/web/20200502032436/https://blog.peckshield.com/2019/04/09/transferMint/ (Dec 18, 2021)
- ↑ TRC20 IRC smart contract · iseri-project/smart-contracts@1c5a0e4 · GitHub (Dec 18, 2021)
- ↑ DAPP trend list: all vulnerability wave fields on EOS may be reproduced Blockchain Network (Dec 19, 2021)