Login Sign Up

CVE-2021-3006

7.5 HIGH

📋 TL;DR

The breed function in Seal Finance's smart contract lacks access control, allowing unauthorized users to manipulate token prices. This affects users of the Seal Finance platform who interact with the vulnerable smart contract, potentially leading to financial losses.

💻 Affected Systems

Products:
  • Seal Finance smart contract
Versions: Specific version unknown, but contract at address 0x33c2da7fd5b125e629b3950f3c38d7f721d7b30d is affected
Operating Systems: Not applicable - Ethereum blockchain
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the smart contract code deployed to the Ethereum blockchain. Once deployed, smart contracts are immutable unless upgrade mechanisms are built in.

📦 What is this software?

Seal Finance by Seal Finance Project

View all CVEs affecting Seal Finance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete price manipulation leading to significant financial losses for users, potential collapse of the token's value, and loss of trust in the platform.

🟠

Likely Case

Price manipulation resulting in financial losses for users, arbitrage opportunities for attackers, and reputational damage to Seal Finance.

🟢

If Mitigated

No impact if proper access controls are implemented to restrict breed function to authorized users only.

🌐 Internet-Facing: HIGH - Smart contracts are publicly accessible on the Ethereum blockchain, making them internet-facing by default.
🏢 Internal Only: LOW - This is a public smart contract vulnerability, not an internal system issue.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploited in the wild in December 2020 and January 2021. The exploit requires basic understanding of smart contract interaction but no special privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not applicable - smart contracts are immutable

Vendor Advisory: https://blocksecteam.medium.com/security-incident-on-seal-finance-fa79c27a1c3b

Restart Required: No

Instructions:

Cannot patch existing contract. Must deploy new contract with proper access controls and migrate users.

🔧 Temporary Workarounds

Contract migration

all

Deploy new smart contract with proper access controls and migrate all users and funds from vulnerable contract

Not applicable - requires smart contract development and deployment

🧯 If You Can't Patch

  • Monitor contract for suspicious breed function calls and alert on unusual activity
  • Implement off-chain validation and monitoring of price movements to detect manipulation

🔍 How to Verify

Check if Vulnerable:

Check if breed function in contract at 0x33c2da7fd5b125e629b3950f3c38d7f721d7b30d lacks access control modifiers like onlyOwner or similar restrictions

Check Version:

Not applicable - check contract address and code on Etherscan

Verify Fix Applied:

Verify new contract has proper access controls on breed function and old contract is deprecated

📡 Detection & Monitoring

Log Indicators:

  • Unusual frequency of breed function calls
  • Breed function calls from unauthorized addresses

Network Indicators:

  • Suspicious transactions to contract address
  • Unusual price fluctuations in token

SIEM Query:

Not applicable - monitor blockchain transactions via Etherscan API or similar

📊 Metadata

CVE ID: CVE-2021-3006
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: January 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON