Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CoinVertible is a euro-pegged stablecoin. Although this sounds like a good idea, the authors of this post found some horrible findings in a brief glance.

The eco-system is highly permissioned. As a result, EURCV requires that all transfers and transfer approvals be validated by the central authority registrar. The function rejectTransfer() has a miscalculation in it. In particular, the wrong entity is used for the approval call.

Additionally, the rejectTransfer() function cannot reject transfers if the allowance is extremely high. This is because the math done is allowance + transferRequest.value. This would revert with an integer overflow, making it impossible to reject the transaction.

The second vulnerability mentioned is the lack of a two-step ownership transfer. This is normally done by setting the recipient but forcing the contract to claim the role to finalize the transfer. This is used to prevent accidental self-DoS attacks.

The contract suffers from the standard ERC20 race condition for setting the allowance of a user too. Instead of setting the values directly, simply increasing or decreasing the values should be done.

There were a few other small things, like the transfer event being missing and a frontrunning gas griefing issue. Overall, fun issues with good impact! Although, there is no direct loss of funds found.