CVE-2019-15080 in MorphToken
Summary
by MITRE • 12/31/2020
An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token. A typo in the constructor of the Owned contract (which is inherited by MORPH Token) allows attackers to acquire contract ownership. A new owner can subsequently obtain MORPH Tokens for free and can perform a DoS attack.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/18/2026
The vulnerability in the MORPH Token smart contract represents a critical security flaw stemming from a simple yet devastating typo in the constructor of an inherited Owned contract. This fundamental error occurred during the development phase and remained undetected until June 5th, 2019, when the issue was discovered. The vulnerability specifically targets the contract ownership mechanism, which is a foundational element of smart contract security architecture. When the Owned contract constructor was implemented, a typographical error in the ownership assignment logic created an exploitable condition that allowed unauthorized parties to assume control of the contract. This type of vulnerability aligns with CWE-755, which addresses the common weakness of improper handling of error conditions and security flaws in software implementations.
The technical exploitation of this vulnerability occurs through the manipulation of the constructor parameters during contract deployment. The typo in the Owned contract constructor creates a scenario where the intended owner address is not properly assigned, leaving the contract in a state where any external party can claim ownership through specific transaction patterns. Once an attacker successfully acquires ownership, they gain complete administrative control over the MORPH Token contract. This elevated privilege level enables them to perform operations that would normally be restricted to the legitimate owner, including minting new tokens without any cost or restriction. The ability to generate unlimited MORPH Tokens represents a severe economic impact that undermines the token's value proposition and market integrity.
The operational consequences of this vulnerability extend beyond simple token generation to include potential denial-of-service capabilities that can severely impact the contract's functionality. As the new owner, an attacker can perform operations that render the contract unusable or inaccessible to legitimate users, effectively creating a DoS condition that compromises the entire smart contract system. This attack vector demonstrates how a single typo can create cascading security implications that affect not only the immediate functionality but also the long-term viability of the token ecosystem. The vulnerability's discovery timeline indicates that it remained exploitable for several months, allowing potential attackers to capitalize on the flaw during this period. The impact on token holders and the broader Ethereum ecosystem demonstrates the critical importance of thorough code review processes and security auditing in smart contract development. This vulnerability also highlights the need for adherence to security best practices and standards such as those outlined in the OWASP Smart Contract Security Verification Standard, which emphasizes proper ownership and access control mechanisms.
The mitigation strategies for this vulnerability require immediate remediation through contract redeployment with corrected ownership logic. The fix involves correcting the typographical error in the Owned contract constructor to ensure proper ownership assignment during contract initialization. Additionally, implementing comprehensive testing procedures including formal verification and security audits can prevent similar issues from occurring in future deployments. The incident underscores the necessity of following established security frameworks and maintaining rigorous development practices that include peer review processes and automated security scanning tools to identify such critical flaws before they can be exploited in production environments.