Login Sign Up

CVE-2021-3004

7.5 HIGH

📋 TL;DR

CVE-2021-3004 is an integer calculation vulnerability in the _deposit function of the yCREDIT Ethereum token smart contract. Attackers can deposit less collateral than required and receive disproportionately more yCREDIT tokens, enabling theft of funds. This affects users interacting with the vulnerable yCREDIT contract on the Ethereum blockchain.

💻 Affected Systems

Products:
  • Stable Yield Credit (yCREDIT) smart contract
Versions: All versions before the fix
Operating Systems: Not applicable - Ethereum blockchain
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific yCREDIT contract at address 0xe0839f9b9688a77924208ad509e29952dc660261 on Ethereum mainnet.

📦 What is this software?

Stableyieldcredit by Stableyieldcredit Project

View all CVEs affecting Stableyieldcredit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete depletion of the yCREDIT token pool, causing total loss of funds for all token holders and collapse of the token's value.

🟠

Likely Case

Partial theft of funds from the token pool, resulting in financial losses for token holders and reduced token value.

🟢

If Mitigated

No impact if the vulnerable contract is no longer in use or has been replaced with a patched version.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack details and methodology are publicly documented. Exploitation requires Ethereum transaction execution but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated contract implementation

Vendor Advisory: https://blocksecteam.medium.com/deposit-less-get-more-ycredit-attack-details-f589f71674c3

Restart Required: No

Instructions:

1. Deploy new patched smart contract with corrected _deposit function calculations. 2. Migrate all funds and user balances to the new contract. 3. Disable the vulnerable contract to prevent further interactions.

🔧 Temporary Workarounds

Contract Interaction Blocking

all

Prevent all interactions with the vulnerable contract address

Not applicable - requires blockchain-level intervention

🧯 If You Can't Patch

  • Monitor all transactions to the vulnerable contract address for suspicious deposit patterns
  • Implement rate limiting or transaction validation at the application layer if interacting with the contract

🔍 How to Verify

Check if Vulnerable:

Check if interacting with contract address 0xe0839f9b9688a77924208ad509e29952dc660261 on Ethereum mainnet

Check Version:

Not applicable - smart contracts don't have traditional versioning

Verify Fix Applied:

Verify that all funds have been migrated to a new contract address with corrected calculations

📡 Detection & Monitoring

Log Indicators:

  • Unusually large yCREDIT token minting events
  • Discrepancies between deposited collateral and minted tokens

Network Indicators:

  • Multiple deposit transactions from same address with abnormal token outputs
  • Sudden increase in yCREDIT token supply

SIEM Query:

Not applicable - blockchain transactions require specialized monitoring tools

📊 Metadata

CVE ID: CVE-2021-3004
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-682
Published: January 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3004, you might also want to check these:

CVE-2023-2163 10.0

A Linux kernel vulnerability in the BPF verifier incorrectly marks unsafe code paths as safe, allowi...

Same vulnerability type (CWE-682)
CVE-2026-1229 9.8

A cryptographic vulnerability in CIRCL's P-384 elliptic curve implementation produces incorrect Comb...

Same vulnerability type (CWE-682)
CVE-2024-36736 9.8

CVE-2024-36736 is a critical vulnerability in OneFlow's permute component that causes incorrect calc...

Same vulnerability type (CWE-682)