Re: Ziber.io is a scam! DO NOT INVEST!! Now CONFIRMED! Doors are now closed

Quote from: kokosro on July 27, 2017, 05:44:20 PM

The actual vulnerability isn't the one stated in the announcement made by Ziber user.

The attacker firstly restarted the Crowdsale by calling the Crowdsale function
https://etherscan.io/tx/0x21d1093cd6014d8ed543c1d8e9f72f904284fb77aaa9296a1f792b745f2785a1
as we see in the Crowdsale function which can be called by anyone the owner becomes the person who is calling the function, pretty simple hack, lol.

function Crowdsale(address _token, uint _start) {
require(_token != 0);
require(_start != 0);

owner = msg.sender;
token = ZiberToken(_token);
startsAt = _start;
}

then just a call to Withdraw function (https://etherscan.io/tx/0xb7f0d837a10028271d7177e86b595b266302f1bc65c9db5cd7a6d48740c2c4de) and there goes 1000 ether

Even the stlying of the code was designed to be "invisible" for people who (didn't) check the code carefully before investing:

  /// @dev Constructor
  /// @param _token Pay Fair token address
  /// @param _start token ICO start date
  function Crowdsale(address _token, uint _start) {
   require(_token != 0);
   require(_start != 0);

   owner = msg.sender;
   token = ZiberToken(_token);
   startsAt = _start;
  }

Well a Constructor needs to have the same name as the Contract (ZiberCrowdsale) -> it isn't in this case, but written as it is in the comment
An owner is normally assigned on the contract creation, and only the owner can transfer the ownership.
here, this method is designed to be transferd by anybody.

If it's by mistake, then it's a real stupid one and the crowdsale wouldn't have even started without explicitly calling this method. Then the custructor is only called once when the contract is created and can't be called afterwards.