Smart contract bug discovered in Yggdrash and Icon

Yesterday, a smart contract bug was first discovered in Yggdrash (YEED) that allowed anyone except the contract creator to enable and disable token transfers for everyone.

A short while later the same bug was found in the Icon (ICX) smart contract. A few minutes ago, someone began spamming the contract with disable transfer transactions.

ICX is unable to be moved from any wallet at this point.

The actual bug is pretty fucking funny:

modifier onlyFromWallet {

require(msg.sender != walletAddress);

_;

}

Instead of saying the message sender must be ==(equal) to the wallet address of the creator of ICON.

It says that the message sender must !=(not equal) to the wallet address of the creator of ICON.

So everybody except for the creator of ICON then fits the requirement to use the modifier, and therefore everybody but him is able to enable/disable Token transfer.


Edit: And now Binance has suspended ICX withdrawls and deposits.


Edit2: Binance has re-enabled the ICX wallet. Currently token transfers are enabled but may be disabled by the smart contract and anyone with the gas to send in the command.


Edit3: Looks like it was found first by these guys at 3:30pm PST according to their twitter


Edit4: Icon team says issue is resolved. How? By them spamming enable transfer every minute. All it takes is one bad actor who wants to stop transfers and knows how to win a mining war and their fix will stop working.

Source: reddit

Back to Top