Unrated severityNVD Advisory· Published Dec 31, 2019· Updated Aug 5, 2024

CVE-2018-19831

Description

The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The ToOwner() function in Cryptbond Network (CBN) ERC20 token lacks access control, allowing any attacker to change the contract owner and gain full control.

Vulnerability

The Cryptbond Network (CBN) ERC20 token smart contract contains a vulnerability in the ToOwner() function. This function is designed to change the contract owner but lacks any access control, such as a modifier to verify the caller's identity. As a result, any Ethereum address can call ToOwner() and transfer ownership to any address of their choice. Affected versions include all deployments of the CBN token contract prior to any fix [1].

Exploitation

An attacker only needs to know the contract's address and call the ToOwner() function directly from any Ethereum account. No authentication, prior access, or user interaction is required. The attacker can specify any new owner address, effectively taking control of the contract [1].

Impact

By becoming the owner, the attacker gains full control over the smart contract, including the ability to withdraw any Ether or other tokens held by the contract, pause transfers, or modify critical parameters. This can lead to total financial loss for the token holders and the original project [1].

Mitigation

The vulnerability is inherent in the contract code and cannot be mitigated without deploying a new contract or implementing an upgrade mechanism. Projects that have not yet deployed should ensure that sensitive functions like ToOwner() include the onlyOwner modifier. For existing deployments, users should discontinue use of the CBN token and migrate to a fixed version if available. No official patch has been announced as of the publication date (2019-12-31) [1].

References

SmartContractSecurity/New Vulnerabilities Allow Anyone to Own Certain ERC20-Based Smart Contracts(CVE-2018-19830, CVE-2018-19831, CVE-2018-19832, CVE-2018-19833, CVE-2018-19834)/README.md at master · SmartContractResearcher/SmartContractSecurity

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cryptbond Network (CBN)/Cryptbond Network (CBN)description
Cryptbond Network/CBNllm-create

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/SmartContractResearcher/SmartContractSecurity/blob/master/New%20Vulnerabilities%20Allow%20Anyone%20to%20Own%20Certain%20ERC20-Based%20Smart%20Contracts%28CVE-2018-19830%2C%20CVE-2018-19831%2C%20CVE-2018-19832%2C%20CVE-2018-19833%2C%20CVE-2018-19834%29/README.mdmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000