Main Vulnerability Database SB2021010305

SB2021010305 - Security restrictions bypass in Stable Yield Credit (yCREDIT)

Published: January 3, 2021

Security Bulletin ID SB2021010305

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Incorrect calculation (CVE-ID: CVE-2021-3004)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect calculation performed by the application. The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.

Note, the vulnerability has been exploited in the wild in January 2021.

Remediation

Install update from vendor's website.

References

https://blocksecteam.medium.com/deposit-less-get-more-ycredit-attack-details-f589f71674c3
https://etherscan.io/address/0xe0839f9b9688a77924208ad509e29952dc660261