CVE-2022-25335 Information

Description

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor’s vulnerability announcement date the vulnerability will not be remediated until a major protocol upgrade occurs.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://etherscan.io/contractdiffchecker?a1=0x876b9ebd725d1fa0b879fcee12560a6453b51dc8 https://twitter.com/danielvf/status/1494317265835147272 https://raw.globalsecuritydatabase.org/GSD-2022-1000077 https://twitter.com/RigoBlock/status/1494351180713050116 https://etherscan.io/tx/0x5a6c108d5a729be2011cd47590583a04444d4e7c85cd0427071b968edc3bfc1f

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5