CVE-2018-12885

Опубликовано: 07 авг. 2018

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Низкий

Описание

The randMod() function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a private variable, (which can be read with a getStorageAt call). Therefore, attackers can get powerful champs/items and get rewards.

Ссылки

https://etherscan.io/address/0x689FB61845488297dfE7586E5f7956475955d2Dc
Third Party Advisory
https://etherscan.io/address/0xa44e464b13280340904ffef0a65b8a0033460430
Third Party Advisory
https://medium.com/coinmonks/get-legendary-items-by-breaking-pnrg-of-mycyptochamp-an-ethereum-online-game-cve-2018-12855-6e6beb41b8df
Exploit
Third Party Advisory
https://etherscan.io/address/0x689FB61845488297dfE7586E5f7956475955d2Dc
Third Party Advisory
https://etherscan.io/address/0xa44e464b13280340904ffef0a65b8a0033460430
Third Party Advisory
https://medium.com/coinmonks/get-legendary-items-by-breaking-pnrg-of-mycyptochamp-an-ethereum-online-game-cve-2018-12855-6e6beb41b8df
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mycryptochamp:mycryptochamp:-:*:*:*:*:*:*:*

EPSS

Процентиль: 63%

0.0045

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-338

Связанные уязвимости

GHSA-h4gq-q399-xm7r