Login Sign Up

CVE-2020-19765

7.5 HIGH

📋 TL;DR

CVE-2020-19765 is a reentrancy vulnerability in the Accounting 1.0 Ethereum smart contract's noReentrance() modifier. Attackers can exploit this to drain funds from the contract by repeatedly calling functions before previous calls complete. This affects any system using the vulnerable Accounting 1.0 contract.

💻 Affected Systems

Products:
  • Accounting Ethereum Smart Contract
Versions: 1.0
Operating Systems: N/A - Smart contract vulnerability
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments of Accounting 1.0 contract on Ethereum or compatible blockchains.

📦 What is this software?

Proofofdiligencetoken by Proofofdiligencetoken Project

View all CVEs affecting Proofofdiligencetoken →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of all funds stored in the vulnerable smart contract through repeated withdrawals.

🟠

Likely Case

Partial or complete fund theft from the contract by attackers monitoring for vulnerable deployments.

🟢

If Mitigated

No impact if contract uses proper reentrancy guards or has been patched.

🌐 Internet-Facing: HIGH - Ethereum smart contracts are inherently internet-facing and publicly accessible.
🏢 Internal Only: LOW - Smart contracts operate on public blockchains, not internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Reentrancy attacks are well-known in Ethereum, and proof-of-concept code exists in the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

1. Deploy a new version of the contract with proper reentrancy protection. 2. Migrate all funds and users to the new contract. 3. Mark the old contract as deprecated.

🔧 Temporary Workarounds

Implement Checks-Effects-Interactions Pattern

all

Rewrite contract functions to follow the checks-effects-interactions pattern to prevent reentrancy.

N/A - Requires contract code modification

Use ReentrancyGuard from OpenZeppelin

all

Import and use the ReentrancyGuard contract modifier from OpenZeppelin library.

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

🧯 If You Can't Patch

  • Monitor contract for suspicious transactions and set up alerts for unusual withdrawal patterns.
  • Consider using a multisig wallet or time-locked withdrawals to limit potential damage.

🔍 How to Verify

Check if Vulnerable:

Review contract source code for the noReentrance() modifier implementation and check if it properly prevents reentrant calls.

Check Version:

Check contract address on Etherscan or similar explorer for deployed bytecode and verify against known vulnerable versions.

Verify Fix Applied:

Verify the contract uses proper reentrancy guards (like OpenZeppelin's ReentrancyGuard) and follows checks-effects-interactions pattern.

📡 Detection & Monitoring

Log Indicators:

  • Multiple contract calls from same address in single transaction
  • Unexpected balance changes in contract

Network Indicators:

  • Unusual gas usage patterns in transactions
  • Multiple internal calls within single transaction

SIEM Query:

N/A - Blockchain transactions require specialized monitoring tools

📊 Metadata

CVE ID: CVE-2020-19765
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-863
Published: September 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19765, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)