CVE-2019-15080 – A typographical error in the constructor of the... (How to Fix)

Q: What is the severity of CVE-2019-15080?

CVE-2019-15080 has a CVSS score of 7.5 (HIGH). A typographical error in the constructor of the Owned smart contract allows attackers to claim ownership of the MORPH Token contract. This enables malicious actors to mint unlimited tokens for free and potentially perform denial-of-service attacks. Anyone holding or interacting with MORPH Token contracts through June 5, 2019 is affected.

📋 TL;DR

A typographical error in the constructor of the Owned smart contract allows attackers to claim ownership of the MORPH Token contract. This enables malicious actors to mint unlimited tokens for free and potentially perform denial-of-service attacks. Anyone holding or interacting with MORPH Token contracts through June 5, 2019 is affected.

💻 Affected Systems

Products:

MORPH Token smart contract

Versions: All versions through 2019-06-05

Operating Systems: Not applicable - Ethereum blockchain

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific contract deployment at 0x2ef27bf41236bd859a95209e17a43fbd26851f92

📦 What is this software?

Morph by Morph Project

View all CVEs affecting Morph →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the token contract allowing unlimited token minting, theft of all funds, and permanent denial of service.

🟠

Likely Case

Attacker gains contract ownership and mints tokens for personal profit, devaluing the token for legitimate holders.

🟢

If Mitigated

No impact if contract has been properly audited and deployed without the typo vulnerability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires blockchain transaction submission but no authentication. Public proof-of-concept available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not applicable

Vendor Advisory: https://github.com/smsecgroup/SM-VUL/tree/master/typo-vul-02

Restart Required: No

Instructions:

1. Deploy new contract with corrected constructor. 2. Migrate token holders to new contract. 3. Abandon vulnerable contract. Note: Smart contracts are immutable once deployed.

🔧 Temporary Workarounds

Contract migration

all

Deploy corrected contract and migrate all token holders

Not applicable - requires manual smart contract deployment

🧯 If You Can't Patch

Cease all interactions with vulnerable contract address
Monitor for suspicious ownership transfer transactions

🔍 How to Verify

Check if Vulnerable:

Review contract source code for constructor typo in Owned contract inheritance

Check Version:

Check contract creation date and verify it's after 2019-06-05

Verify Fix Applied:

Verify new contract has correct constructor and ownership cannot be transferred unexpectedly

📡 Detection & Monitoring

Log Indicators:

Unexpected ownership transfer events in contract logs
Unusual token minting transactions

Network Indicators:

Transactions calling vulnerable constructor function
Suspicious contract interactions from unknown addresses

SIEM Query:

Not applicable - blockchain transactions not typically monitored by traditional SIEM

📊 Metadata

CVE ID: CVE-2019-15080

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: December 30, 2020

Last Updated: November 21, 2024

🔗 References

https://etherscan.io/address/0x2ef27bf41236bd859a95209e17a43fbd26851f92#contracts Third Party Advisory
https://github.com/smsecgroup/SM-VUL/tree/master/typo-vul-02 Exploit,Third Party Advisory
https://etherscan.io/address/0x2ef27bf41236bd859a95209e17a43fbd26851f92#contracts Third Party Advisory
https://github.com/smsecgroup/SM-VUL/tree/master/typo-vul-02 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON