CVE-2018-12702 in Globalvillage Ecosystem
Summary
by MITRE
The approveAndCallcode function of a smart contract implementation for Globalvillage ecosystem (GVE), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the "evilReflex" issue. NOTE: a PeckShield disclosure states "some researchers have independently discussed the mechanism of such vulnerability."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/21/2020
The CVE-2018-12702 vulnerability represents a critical security flaw in the Globalvillage ecosystem (GVE) Ethereum ERC20 token smart contract implementation that fundamentally undermines asset security through improper function call handling. This vulnerability specifically targets the approveAndCallcode function which serves as a mechanism for approving token transfers and executing additional code through callcode execution. The flaw stems from the absence of verification for the callcode execution path, creating an exploitable condition where malicious actors can manipulate the contract's behavior to transfer funds to unauthorized accounts.
The technical root cause of this vulnerability lies in the improper handling of the _spender.call(_extraData) operation within the approveAndCallcode function. When a user approves a token transfer to a spender, the contract executes a callcode operation that should be validated for security. However, the implementation fails to verify whether the callcode execution was successful or whether it properly transferred the intended assets. This creates a situation where attackers can craft malicious _extraData parameters that redirect the contract's funds to their own accounts. The vulnerability is categorized under CWE-252 as an "Unchecked Return Value" where the return status of a function call is not properly checked, and it aligns with ATT&CK technique T1059.001 for executing malicious code through function calls.
The operational impact of CVE-2018-12702 is severe and directly affects the integrity of the Globalvillage ecosystem token economy. Attackers can exploit this vulnerability to drain contract balances and transfer assets to their personal wallets without proper authorization. The "evilReflex" moniker describes the malicious behavior where the contract's own code executes against its intended purpose, essentially allowing unauthorized fund transfers. This vulnerability affects all users who have approved token transfers to the vulnerable contract, making it particularly dangerous as it can be exploited without requiring user interaction beyond the initial approval transaction.
Mitigation strategies for this vulnerability require immediate contract upgrades and comprehensive security auditing of similar smart contracts within the Ethereum ecosystem. The primary fix involves implementing proper verification of the callcode execution result before proceeding with asset transfers, ensuring that any additional code execution returns successfully before completing the transaction. Security researchers should implement proper return value checking for all external calls and validate the outcomes of code execution paths. Additionally, developers should follow established secure coding practices for Ethereum smart contracts, including thorough testing of all approval and transfer functions, and implementing proper access controls that prevent unauthorized code execution within token contracts. This vulnerability serves as a critical reminder of the importance of thorough smart contract auditing and the potential consequences of overlooking seemingly minor security considerations in decentralized applications.