In this blog, we disclose a new type of vulnerability named evilReflex. By exploiting this bug, the attacker can transfer an arbitrary amount of tokens owned by a vulnerable smart contract to any address. Specifically, whenever a smart contract has non-zero token balance, those tokens could be swept out by an attacker.

In Figure 1, we show the vulnerable approveAndCallcode() function of an evilReflex-affected smart contract. The issue is in line 135, where _spender.call() is invoked with the user-controllable parameter _extraData. By design, the intended use of this callback function is to send out related notification while finishing an approve() operation. However, by tweaking the _extraData, an attacker can completely hijack the callback to do something unintended by the original design.

In other words, such vulnerability will essentially allow an attacker to call any contract address from a vulnerable contract, with arbitrary parameters! One thing she immediately obtains would be the privileges of the victim contract. In some smart contracts, the contract address itself might be used for authorization purposes so that certain privileged operations will only be issued from the contract itself.

From another perspective, if the vulnerable contract happens to own certain tokens, which are likely the case for the contract to receive ETH payments or distribute certain ERC20 tokens, an attacker might easily steal these crypto assets. How to do that? The attacker can exploit the evilReflex bug by making the contract to call the transfer() function of itself. Specifically, she can simply set _spender as the contract address with a tweaked _extraData. And the tweaked _extraData starts from the signature of transfer() followed by the two parameters to and value. This way, the contract issues a transfer() call which could transfer all of its tokens out. Figure 2 illustrates a tweaked _extraData we observed in an “in-the-wild” attack.

So far, our system has found at least 28 vulnerable smart contracts which are affected by this bug. And several of them are tradable on top cryptocurrency exchanges. Furthermore, one of the tradable ERC20 tokens had been attacked in the wild with at least 100 tokens stolen. As for this writing, we are still in the process of contacting related project teams behind these tokens and affected cryptocurrency exchanges [11] to remedy this issue. Please contact us if we can be of any help regarding evilReflex.

We would like to point out that we internally discovered this vulnerability about a month ago. However, due to the severity of affected tokens and tradable facts in related exchanges, we chose not to disclose the vulnerability until today – after the coordinated response with major exchanges [11]. In the meantime, some researchers have independently discussed the mechanism of such vulnerability in the same nature, though in a different ERC223 context [12].

References
[1] PeckShield: New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10299), April 22, 2018
[2] PeckShield: New proxyOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018-10376), April 25, 2018
[3] PeckShield: Your Tokens Are Mine: A Suspicious Scam Token in A Top Exchange, April 28, 2018
[4] PeckShield: New ownerAnyone Bug Allows For Anyone to ‘‘Own’’ Certain ERC20-Based Smart Contracts (CVE-2018-10705), May 3, 2018
[5] PeckShield: New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706), May 10, 2018
[6] PeckShield: New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11239), May 18, 2018
[7] PeckShield: New ceoAnyone Bug Identified in Multiple Crypto Game Smart Contracts (CVE-2018-11329), May 21, 2018
[8] PeckShield: New allowAnyone Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11397, CVE-2018-11398), May 23, 2018
[9] PeckShield: New allowFlaw Bug Identified in Multiple ERC20 Smart Contracts, June 6, 2018
[10] PeckShield: Full Disclosure of Highly-Manipulatable, tradeTrap-Affected ERC20 Tokens in Multiple Top Exchanges, June 11, 2018
[11] Huobi: HADAX Suspends 18T and GVE Deposits and Withdrawals , June 24, 2018
[12] EnsecTeam: Call Inject Attack in Ethereum Smart Contracts (in Chinese