CVE-2018-12703 - Vulnerability Details - OpenCVE

The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the "evilReflex" issue. NOTE: a PeckShield disclosure states "some researchers have independently discussed the mechanism of such vulnerability."

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Block18	Block18

Configuration 1 [-]

cpe:2.3:a:block18:block18:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals
https://peckshield.com/2018/06/23/evilReflex/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-06-25T10:00:00

Updated: 2024-08-05T08:45:01.179Z

Reserved: 2018-06-23T00:00:00

Link: CVE-2018-12703

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-25T10:29:00.267

Modified: 2024-11-21T03:45:42.450

Link: CVE-2018-12703

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-06-25T00:00:00", "descriptions": [{"lang": "en", "value": "The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the \"evilReflex\" issue. NOTE: a PeckShield disclosure states \"some researchers have independently discussed the mechanism of such vulnerability.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-25T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals"}, {"tags": ["x_refsource_MISC"], "url": "https://peckshield.com/2018/06/23/evilReflex/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-12703", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the \"evilReflex\" issue. NOTE: a PeckShield disclosure states \"some researchers have independently discussed the mechanism of such vulnerability.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals", "refsource": "MISC", "url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals"}, {"name": "https://peckshield.com/2018/06/23/evilReflex/", "refsource": "MISC", "url": "https://peckshield.com/2018/06/23/evilReflex/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T08:45:01.179Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://peckshield.com/2018/06/23/evilReflex/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-12703", "datePublished": "2018-06-25T10:00:00", "dateReserved": "2018-06-23T00:00:00", "dateUpdated": "2024-08-05T08:45:01.179Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:block18:block18:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1684A30-4013-4E5F-9F02-68C91E84DEFD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the \"evilReflex\" issue. NOTE: a PeckShield disclosure states \"some researchers have independently discussed the mechanism of such vulnerability.\""}, {"lang": "es", "value": "La funci\u00f3n approveAndCallcode de una implementaci\u00f3n de contrato inteligente para Block 18 (18T), un token de Ethereum ERC20 intercambiable, permite que los atacantes roben activos (por ejemplo, transfiriendo el saldo del contrato en su cuenta) debido a que el c\u00f3digo de llamada, como _spender.call(_extraData), no est\u00e1 verificado. Esto tambi\u00e9n se conoce como problema \"evilReflex\". NOTA: un comunicado de PeckShield indica que \"algunos investigadores han discutido de forma independiente el mecanismo de esta vulnerabilidad\"."}], "id": "CVE-2018-12703", "lastModified": "2024-11-21T03:45:42.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-25T10:29:00.267", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://peckshield.com/2018/06/23/evilReflex/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-Withdrawals"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://peckshield.com/2018/06/23/evilReflex/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}