CVE-2021-33403 – An integer overflow vulnerability in the transf... (How to Fix)

Q: What is the severity of CVE-2021-33403?

CVE-2021-33403 has a CVSS score of 7.5 (HIGH). An integer overflow vulnerability in the transfer function of the Lancer Token (LNCToken) smart contract allows the contract owner to manipulate token transfers between large accounts, potentially causing unexpected financial losses. This affects users holding or transacting with this specific ERC20 token on the Ethereum blockchain.

📋 TL;DR

An integer overflow vulnerability in the transfer function of the Lancer Token (LNCToken) smart contract allows the contract owner to manipulate token transfers between large accounts, potentially causing unexpected financial losses. This affects users holding or transacting with this specific ERC20 token on the Ethereum blockchain.

💻 Affected Systems

Products:

Lancer Token (LNCToken) smart contract

Versions: All versions of the vulnerable contract implementation

Operating Systems: Not applicable

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific smart contract at address 0x63e634330a20150dbb61b15648bc73855d6ccf07 on Ethereum blockchain

📦 What is this software?

Blocklancertoken by Blocklancertoken Project

View all CVEs affecting Blocklancertoken →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Contract owner could drain tokens from large accounts or manipulate token balances, causing significant financial losses to token holders.

🟠

Likely Case

Contract owner exploits the vulnerability to siphon tokens from large holders during transfers, resulting in direct financial theft.

🟢

If Mitigated

No impact if users avoid interacting with the vulnerable contract or if the owner doesn't exploit it.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires contract owner privileges; public analysis available in GitHub repository

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not applicable

Vendor Advisory: Not available

Restart Required: No

Instructions:

Deploy new smart contract with fixed transfer function and migrate token holders to new contract

🔧 Temporary Workarounds

Avoid vulnerable contract

all

Do not hold or transact with the vulnerable LNCToken contract

Token migration

all

Migrate to a new, audited token contract if available

🧯 If You Can't Patch

Monitor transactions involving the vulnerable contract address for suspicious activity
Implement wallet-level controls to prevent interactions with the vulnerable contract

🔍 How to Verify

Check if Vulnerable:

Check if interacting with contract address 0x63e634330a20150dbb61b15648bc73855d6ccf07

Check Version:

Not applicable for smart contracts

Verify Fix Applied:

Verify new contract address has been deployed and token migration completed

📡 Detection & Monitoring

Log Indicators:

Unusual token transfers from large accounts
Contract owner initiating unexpected transfers

Network Indicators:

Transactions to/from vulnerable contract address

SIEM Query:

Not applicable for blockchain transactions

📊 Metadata

CVE ID: CVE-2021-33403

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-190

Published: August 3, 2021

Last Updated: November 21, 2024

🔗 References

https://cn.etherscan.com/address/0x63e634330a20150dbb61b15648bc73855d6ccf07#code Exploit,Third Party Advisory
https://github.com/MRdoulestar/SC-RCVD/blob/main/Vulnerabilities/LNCToken.md Exploit,Third Party Advisory
https://cn.etherscan.com/address/0x63e634330a20150dbb61b15648bc73855d6ccf07#code Exploit,Third Party Advisory
https://github.com/MRdoulestar/SC-RCVD/blob/main/Vulnerabilities/LNCToken.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33403, you might also want to check these: