Security restrictions bypass in Stable Yield Credit (yCREDIT)



Published: 2021-01-03
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-3004
CWE-ID CWE-682
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
yCREDIT
Web applications / Cryptocurrency software

Vendor yCREDIT

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Incorrect calculation

EUVDB-ID: #VU49215

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-3004

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect calculation performed by the application. The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.

Note, the vulnerability has been exploited in the wild in January 2021.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

yCREDIT: All versions

External links

http://blocksecteam.medium.com/deposit-less-get-more-ycredit-attack-details-f589f71674c3
http://etherscan.io/address/0xe0839f9b9688a77924208ad509e29952dc660261


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###