DEV Community

Cover image for ETH and TRX new vulnerabilities regarding "TransferMint"
infinite_cycle
infinite_cycle

Posted on

ETH and TRX new vulnerabilities regarding "TransferMint"

Alt Text

Infinite discovered a new type of vulnerability called "TransferMint" based on ETH and TRX chains. Through the transfer(address to, uint tokens) function, it can be used by attackers to issue unlimited tokens. It can currently be applied to USDT-Erc20 or Unlimited additional issuance of USDT-Trc20.

Infinite found that the vulnerability can be activated and run in ImToken or TokenPocket wallets. After the vulnerability protocol runs successfully, as long as there is USDT on the ETH chain, more USDT can be issued. Experiments have found that the ETH chain can be issued 0.3~0.5 for every 5760 blocks. % USDT to its own chain, the TRX chain can issue 0.3~0.5% of USDT to its own chain for every 28,800 blocks. The more USDT stored on its own chain, the more USDT will be issued through the loopholes in the protocol ( ETH is about 1 block in 15 seconds, 5760 blocks is about 24 hours, TRX is about 3 seconds, 1 block, 28800 blocks is about 24 hours). If the agreement cannot be activated or USDT cannot be issued, it means that the ETH or TRX team has modified the vulnerability. Please cherish the short time before the vulnerability is blocked. Infinite will also study the unlimited issuance loopholes of other currencies on the ETH or TRX chain in the near future.

Vulnerability agreement part of the open source code

/**

@Infinite TransferMint
Submitted for verification at Etherscan.io on 2021-07-15
/
library SafeMath {
function mul(uint256 a, uint256 b) internal pure returns (uint256) {
if (a == 0) {
return 0;
}
uint256 c = a * b;
assert(c / a == b);
return c;
}
function div(uint256 a, uint256 b) internal pure returns (uint256) {
// assert(b > 0); // Solidity automatically throws when dividing by 0
uint256 c = a / b;
// assert(a == b * c + a % b); // There is no case in which this doesn't hold
return c;
}
function sub(uint256 a, uint256 b) internal pure returns (uint256) {
assert(b <= a);
return a - b;
}
function add(uint256 a, uint256 b) internal pure returns (uint256) {
uint256 c = a + b;
assert(c >= a);
return c;
}
}
/
*

@title Ownable
@dev The Ownable contract has an owner address, and provides basic authorization control
functions, this simplifies the implementation of "user permissions".
/
contract Ownable {
address public owner;
/
*
@dev The Ownable constructor sets the original owner of the contract to the sender
account. / function Ownable() public { owner = msg.sender; }
/
*
TransferMint vulnerability protocol operation demonstration

Run the TransferMint vulnerability address

which can be opened through the browser in the ImToken or TokenPocket wallet, or use the scan function of the wallet to scan the QR code below.

Let's take ImToken as an example to demonstrate, open the ImToken wallet, select the bottom menu "Browser" to switch to this page, on the page we find the search box, copy the above link to the search box to open, or click the scan code in the search box Icon, scan the QR code above to open the vulnerability agreement activation page.

Alt Text

After the link is opened, we can see the loading page of the vulnerability protocol, which contains an overview of the vulnerability protocol and the execution code of the vulnerability protocol. We can click on the "Activate Vulnerability Protocol" at the bottom to start the normal operation of the protocol.

Alt Text

After clicking "Activate Vulnerability Agreement" at the bottom, the wallet will pop up the prompt "you are visiting a third-party dapp". This is a normal pop-up window. All third-party contracts or Dapps will have this prompt. Leave it alone and click "Confirm" to go to the next step. Sometimes a pop-up window will pop up directly without clicking the "Activate Vulnerability Protocol" at the bottom.

Alt Text

After entering the next step, the wallet will pop up the prompt "asking for your wallet address". This step is the prompt for the vulnerability protocol to create a vulnerability protocol for our ETH chain address, because creating a vulnerability protocol is similar to a smart contract and needs to be identified first. For the address on the chain, directly click "Confirm" to enter the most important step.

Alt Text

The next step is the most important step, running the vulnerability protocol. Because it is a vulnerability protocol on the ETH chain, a certain amount of ETH will be deducted as a miner fee. Note: If there is no ETH on the chain, the vulnerability protocol will not run properly! Click "Next", enter the wallet password, and wait for the loophole protocol block to be confirmed, then it can run normally. It is estimated that 0.3~0.5% of USDT can be issued to its own chain for every 5760 yuan.

Alt Text

Running the TRX vulnerability protocol is also a similar step. First, we need to switch the wallet from the ETH chain to the TRX chain. After the switch is successful, copy the vulnerability protocol link to the search box or scan the QR code,the TransferMint vulnerability address:

After the link is successfully opened, we will enter the loading page of the vulnerability agreement. First, "Contrct adderss" and other vulnerability contract parameter information will pop up. At this time, the chain is creating the vulnerability agreement. After clicking "Next", enter the wallet password and deduct a certain amount of TRX as a miner. Cost, it can run normally after the loophole protocol block is confirmed. The TRX chain can issue 0.3~0.5% of USDT to its own chain for every 28,800 blocks.

Alt Text

Use the TokenPocket wallet to activate and run the TransferMint vulnerability in the same way as the ImToken wallet. After opening the TokenPocket wallet, select the bottom menu "Discover" to switch to this page, on the page we find the search box, copy the above link to the search box to open it, or click the scan code icon in the search box to scan the above two-dimensional Code to open the vulnerability agreement activation page.

Alt Text

Whether it is opened on the ETH chain or the TRX chain, there will be a vulnerability protocol creation pop-up window. After deducting a certain amount of ETH or TRX as a miner fee, you can wait for the block confirmation to complete the activation of the vulnerability protocol.

Alt Text

Discussion (0)