CVE-2018-17111

Vulnerability

The Coinlancer (CL) Ethereum ERC20 token smart contract contains an access control flaw in the onlyOwner modifier [1]. The modifier incorrectly implements the ownership check: require(msg.sender != owner); instead of require(msg.sender == owner);. This logic error causes the require statement to fail for the legitimate owner and pass for every other address, effectively making all owner-restricted functions accessible to any contract user. The vulnerable code is present in the contract as deployed on the Ethereum mainnet [1].

Exploitation

No authentication or prior access is required; any Ethereum address can call functions protected by the onlyOwner modifier. However, the available reference notes that the faulty modifier is not used in the current contract, so the bug is not directly exploitable in the deployed token [1]. The dangerous code pattern exists and could be triggered if the modifier were applied to any function in a future upgrade or code fork.

Impact

If the onlyOwner modifier were applied to sensitive functions (e.g., minting, pausing, transferring ownership), an attacker could invoke those functions, gaining unauthorized control over the contract. Potential impacts include arbitrary token minting, fund theft, or contract hijack. Since the modifier is unused in the current deployment, there is no immediate loss of funds or privileges [1].

Mitigation

No patched version has been released by the Coinlancer project. The developers must replace the faulty require statement with require(msg.sender == owner); and re-deploy the contract. As of the publication date (2018-09-18), no fix or audit has been confirmed [1]. Users and exchanges should monitor the contract for any changes that might apply the flawed modifier to owner functions.