Security Vulnerability Discovered
Date of Report: 27th July 2017
Date of Discovery: 23rd July 2017
Impact : Low
Number of DGDs affected: 4162.2647
Number of addresses affected: 35
Post Impact: None
Signed PDF File of Report : https://drive.google.com/open?id=0B9TgodPfXwdcQVMxUEZvbXFncGs
On 20th of July, we received a support ticket from “Barry Whitehat” regarding a security vulnerability without a reply address. On 23rd of July, we received an email to our support email from Gustav Simonsson who mentioned that he has also discovered a security vulnerability. As we knew who he was, we contacted him by e-mail and phone to confirm his identity. He confirmed his identity and Digix got to work verifying the issue he had related immediately.
A bug in the DigixDAO Crowdsale Contract allowed an attacker to receive unclaimed DGD tokens.
In order for DGD participants to claim their DGD tokens, they were instructed to call the claim() function below.
This function call calls the claimFor() function and passes the msg.sender. This calls the DGD Token contract’s mint() function to create the coins on the DGD ERC20 token contract. In this line the DGD badges were correctly sent to the proper recipients (the address set in the _user variable) but the DGD tokens were sent to the msg.sender instead, allowing an attacker to receive unclaimed DGD tokens from the crowdsale.
The bug in question is in line 163 of our crowdsale contract.
What we did to figure out the impact of the exploit:Download full chain with state pruning turned off to allow us a comprehensive view of all transactions that have taken place on our DGD Crowdsale Contract.Look through the list of claimed / unclaimed dgdsFigure out who used the claimfor() functionIf address of claimee ≠ the originator of the claimfor() ...