Chronicle of a Vulnerability Foretold


All’s Well?

Snook, we have a vulnerability!

  • Funds were never at any real risk — As mentioned in the TL;DR the vulnerability did not pose any risk of funds’ misallocation. It only meant that vested $SNKs could get locked. That makes it far less attractive for exploitation and basically a potential act of cyber-vandalism with no upside to the perpetrator.
  • We caught it before it could be exploited — Thanks to the impressive vigilance of ConsenSys we caught it in time. You see, the first time this vulnerability could theoretically be exploited would be after the first vesting due date, i.e., October 1st. We had two weeks to resolve this issue.

You’re still here? Let’s dive in, try to keep up.

  1. She could call on getRealeaseableAmount() because it is public
  2. This would then change a storage variable to indicate that the transaction was already completed.
  3. The beneficiary would then try to claim the funds but would not be able to because the release() function would have an indication that the transfer already happened.

That Ends Well!

Replacing everything with exact duplicates


Epilogue — It’s the collaboration Stupid!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store