Skip to main content

CVE-2022-35621: n/a in n/a

Medium
VulnerabilityCVE-2022-35621cvecve-2022-35621
Published: Wed Sep 21 2022 (09/21/2022, 18:14:11 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers.

AI-Powered Analysis

AILast updated: 07/07/2025, 09:13:03 UTC

Technical Analysis

CVE-2022-35621 is an access control vulnerability identified in the Evoh NFT EvohClaimable smart contract, which is used for managing non-fungible tokens (NFTs). The vulnerability allows remote attackers to execute fraudulent NFT transfers without proper authorization. Specifically, the flaw lies in insufficient access control checks within the contract's logic, enabling unauthorized entities to transfer NFTs they do not own or control. The vulnerability is associated with CWE-284 (Improper Access Control), indicating that the contract fails to enforce correct permissions for critical operations. The CVSS v3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means an attacker can remotely exploit the vulnerability without authentication or user interaction, causing unauthorized modification of NFT ownership records, potentially leading to fraudulent transfers and loss of asset control. Although no patches or vendor information are provided, the vulnerability's presence in a smart contract implies that affected deployments on blockchain networks could be exploited by adversaries to manipulate NFT ownership, undermining trust and value in affected NFT projects.

Potential Impact

For European organizations involved in NFT creation, trading, or custody, this vulnerability poses a significant risk to the integrity of their digital asset holdings. Fraudulent transfers could result in financial losses, reputational damage, and legal complications, especially under stringent EU regulations such as GDPR and the upcoming Digital Operational Resilience Act (DORA) that emphasize security and operational integrity. Organizations relying on the EvohClaimable contract or derivatives thereof may face unauthorized asset transfers, undermining customer trust and potentially causing cascading effects in marketplaces and secondary trading platforms. The lack of confidentiality impact reduces risk of data leakage, but the integrity compromise directly affects asset ownership and transactional trust. Given the decentralized and immutable nature of blockchain, remediation after exploitation can be challenging, emphasizing the importance of proactive mitigation. Additionally, the medium severity score suggests that while exploitation is feasible without privileges or user interaction, the impact is limited to integrity and does not affect availability or confidentiality.

Mitigation Recommendations

European organizations should first identify whether they utilize the EvohClaimable contract or any derivative smart contracts containing this vulnerability. Since no official patches are listed, organizations should consider redeploying updated smart contracts with corrected access control logic, ensuring that only authorized parties can initiate NFT transfers. Implementing multi-signature wallets or role-based access control within smart contracts can add layers of security. Regular smart contract audits by reputable security firms are recommended to detect similar vulnerabilities. Monitoring blockchain transactions for anomalous NFT transfers can help detect exploitation attempts early. Organizations should also educate users about potential risks and establish incident response plans specific to blockchain asset compromise. Where possible, migrating NFTs to more secure contract implementations or platforms with proven security track records can reduce exposure. Finally, engaging with the broader blockchain community to share threat intelligence and mitigation strategies can improve collective defense.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-07-11T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68371a22182aa0cae24f8aee

Added to database: 5/28/2025, 2:13:54 PM

Last enriched: 7/7/2025, 9:13:03 AM

Last updated: 8/16/2025, 12:59:41 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats