CVE-2022-25335 – CVE-2022-25335 is an access control vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-25335?

CVE-2022-25335 has a CVSS score of 7.5 (HIGH). CVE-2022-25335 is an access control vulnerability in RigoBlock Dragos smart contracts where the setMultipleAllowances function lacks the onlyOwner modifier, allowing unauthorized users to manipulate token allowances. This enables attackers to transfer tokens without proper authorization, affecting all users interacting with vulnerable RigoBlock Dragos contracts. The vulnerability was actively exploited in February 2022 before being publicly disclosed.

📋 TL;DR

CVE-2022-25335 is an access control vulnerability in RigoBlock Dragos smart contracts where the setMultipleAllowances function lacks the onlyOwner modifier, allowing unauthorized users to manipulate token allowances. This enables attackers to transfer tokens without proper authorization, affecting all users interacting with vulnerable RigoBlock Dragos contracts. The vulnerability was actively exploited in February 2022 before being publicly disclosed.

💻 Affected Systems

Products:

RigoBlock Dragos

Versions: All versions through 2022-02-17

Operating Systems: Not applicable - smart contract vulnerability

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Ethereum blockchain deployments of RigoBlock Dragos smart contracts. The vulnerability exists in the contract code itself, not in deployment configurations.

📦 What is this software?

Drago by Rigoblock

View all CVEs affecting Drago →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of all tokens controlled by vulnerable contracts through unauthorized allowance manipulation and subsequent transfers.

🟠

Likely Case

Unauthorized token transfers resulting in financial losses for contract users and token holders.

🟢

If Mitigated

No impact if proper access controls are implemented and onlyOwner modifier is enforced.

🌐 Internet-Facing: HIGH - Smart contracts are inherently internet-facing and accessible to anyone on the blockchain.

🏢 Internal Only: LOW - This is a smart contract vulnerability, not an internal network issue.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploited in the wild in February 2022. The vulnerability allows any Ethereum address to call the vulnerable function without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available until major protocol upgrade

Vendor Advisory: https://twitter.com/RigoBlock/status/1494351180713050116

Restart Required: No

Instructions:

No immediate patch available. Users should migrate to new contracts once protocol upgrade is deployed. Monitor RigoBlock announcements for upgrade schedule.

🔧 Temporary Workarounds

Contract Migration

all

Deploy new smart contracts with proper access controls and migrate all tokens and users

Not applicable - requires smart contract development and deployment

🧯 If You Can't Patch

Monitor contract interactions for unauthorized setMultipleAllowances calls
Implement additional off-chain validation for token transfers

🔍 How to Verify

Check if Vulnerable:

Check if deployed contract at address 0x876b9ebd725d1fa0b879fcee12560a6453b51dc8 has the onlyOwner modifier on setMultipleAllowances function

Check Version:

Not applicable - check contract bytecode or source code verification on Etherscan

Verify Fix Applied:

Verify new contract code includes onlyOwner modifier on setMultipleAllowances function

📡 Detection & Monitoring

Log Indicators:

Unauthorized calls to setMultipleAllowances function
Unexpected token allowance changes

Network Indicators:

Transactions calling setMultipleAllowances from non-owner addresses
Suspicious token transfer patterns following allowance changes

SIEM Query:

Not applicable - blockchain transactions are public and can be monitored via blockchain explorers

📊 Metadata

CVE ID: CVE-2022-25335

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://etherscan.io/contractdiffchecker?a1=0x876b9ebd725d1fa0b879fcee12560a6453b51dc8 Product,Third Party Advisory
https://etherscan.io/tx/0x5a6c108d5a729be2011cd47590583a04444d4e7c85cd0427071b968edc3bfc1f Third Party Advisory
https://raw.globalsecuritydatabase.org/GSD-2022-1000077 Exploit,Third Party Advisory
https://twitter.com/RigoBlock/status/1494351180713050116 Exploit,Issue Tracking,Third Party Advisory
https://twitter.com/danielvf/status/1494317265835147272 Exploit,Issue Tracking,Third Party Advisory
https://etherscan.io/contractdiffchecker?a1=0x876b9ebd725d1fa0b879fcee12560a6453b51dc8 Product,Third Party Advisory
https://etherscan.io/tx/0x5a6c108d5a729be2011cd47590583a04444d4e7c85cd0427071b968edc3bfc1f Third Party Advisory
https://raw.globalsecuritydatabase.org/GSD-2022-1000077 Exploit,Third Party Advisory
https://twitter.com/RigoBlock/status/1494351180713050116 Exploit,Issue Tracking,Third Party Advisory
https://twitter.com/danielvf/status/1494317265835147272 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25335, you might also want to check these: