Improper access control in Seal Finance - CVE-2021-3006

 

Improper access control in Seal Finance - CVE-2021-3006

Published: January 3, 2021 / Updated: January 3, 2021


Vulnerability identifier: #VU49214
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2021-3006
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: The vulnerability is being exploited in the wild
Vendor: Seal Finance
Affected software:
Seal Finance

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation.

Note, the vulnerability has been exploited in the wild in December 2020 and January 2021.


How to mitigate CVE-2021-3006

Install updates from vendor's website.

Sources