$123.37 1.54%
ETH · 76w

Security Vulnerability discovered — DigixDAO

Security Vulnerability discovered — DigixDAO

Security Vulnerability Discovered

Date of Report: 27th July 2017

Date of Discovery: 23rd July 2017

Severity: High

Impact : Low

Number of DGDs affected: 4162.2647

Number of addresses affected: 35

Post Impact: None

Signed PDF File of Report :


On 20th of July, we received a support ticket from “Barry Whitehat” regarding a security vulnerability without a reply address. On 23rd of July, we received an email to our support email from Gustav Simonsson who mentioned that he has also discovered a security vulnerability. As we knew who he was, we contacted him by e-mail and phone to confirm his identity. He confirmed his identity and Digix got to work verifying the issue he had related immediately.

Vulnerability Details

A bug in the DigixDAO Crowdsale Contract allowed an attacker to receive unclaimed DGD tokens.

In order for DGD participants to claim their DGD tokens, they were instructed to call the claim() function below.

This function call calls the claimFor() function and passes the msg.sender. This calls the DGD Token contract’s mint() function to create the coins on the DGD ERC20 token contract. In this line the DGD badges were correctly sent to the proper recipients (the address set in the _user variable) but the DGD tokens were sent to the msg.sender instead, allowing an attacker to receive unclaimed DGD tokens from the crowdsale.

The bug in question is in line 163 of our crowdsale contract.

What we did to figure out the impact of the exploit:

Download full chain with state pruning turned off to allow us a comprehensive view of all transactions that have taken place on our DGD Crowdsale Contract.Look through the list of claimed / unclaimed dgdsFigure out who used the claimfor() functionIf address of claimee ≠ the originator of the claimfor() ...
Continue on
Recent news
ETH +1.54% · · 4h

What has Ethereum accomplished in 2018?

Ethereum began as a bold experiment. Can we build a universal platform for digital money and assets, un-censorable applications, and decentralized organizations?
ETH +1.54% · · 8h

AKASHA 2019: Metamorphosis Part I

A non-profit born at the intersection of blockchain and collective intelligence. We nurture projects helping individuals unlock their potential through open systems that expand our collective minds at...
ETH +1.54% · · 11h

Fake news is becoming more prevalent; example of someone handing out real-looking but fake copies of the Washington Post newspaper (see tweet). Fake news dominates in the crypto space, so this is just another reminder to always think critically and use multiple sources for information.

[email protected] you might want to deal with the lady handing out fake copies of the Post outside Union Station. I tried to explain why this is problematic but she wasn’t having it.