WHEN Smart Contract Allows Theft Of Tokens

Our recent review of the code for the WHEN smart contract revealed some suspicious, malicious, and downright scammy code. Read on for details.

Published on Jun 24, 2019 09:44 By Binod Nirvan

The function of a smart contract is simple: to hold assets in escrow into all parties have completed the requirements of said contract. Many blockchain projects make use of smart contracts. The idea is that they remove the need for either party to trust the other -- but what happens when you can't trust the underlying code of the smart contract itself?

Our recent review of the code for the WHEN smart contract revealed some suspicious, malicious, and downright scammy code. Read on for details.

Issue with WHEN ERC20 token

To view this code yourself, visit: WHEN smart contract

To put it plainly, the WHEN token contract enables the contract owner to steal anyone’s funds whether they’re on a centralized or decentralized exchange, hardware or software wallet, hot or cold storage, paper or brain wallet. It does not matter, they can move tokens from one wallet to another which means they can also steal them if they desire to. 

In order to steal funds from any wallet, the contract owner has to first pass an Ethereum address to the function “authorizeContract”.

 Function authorizeContract




This function has a design loophole which not only allows the WHEN contract owner to enter any smart contract address of their choice but also they can pass any Ethereum wallet address here. Like shown in the above image, whenever there is a possibility of adding/editing/changing smart contracts at any time without proper measures in place, the contract owners can do anything. Because the new and undeployed smart contract can contain any kind of logic, good or evil, honest or scammy, you cannot say for sure.



Interestingly, they only need an address they control (whether it is a smart contract or a wallet address) set into the array variable “authorizedContracts” and they are good to go. This variable is used in the function “isContractAuthorized” to check if someone has the permission to execute the next function we’ll show you below. 

How WHEN Contract Owner Could Steal Your Funds?

It’s extremely easy! By calling a seemingly innocent-looking function called “vestingGrant”.



Just pass the following parameters:

  • Issuer → The address from where the tokens will be stolen.
  • Beneficiary → The address to where the stolen tokens will go to.
  • VestedJiffys → The amount of tokens to steal.
  • UnvestedJiffys or whatever that mumbo jumbo is→ 0 (zero).

Confused by what all of this means? You can learn smart contracts in plain English at Cointelligence Academy.

Exchanges failing to do their due diligence!

You can already find WHEN on exchanges like HotBit, IDEX, LATOKEN, and BITKER. All of these exchanges charge listing fees, and should be using the listing fees to audit the smart contracts to find such issues and tackle them before the listing to protect their users.
Our CSO Hosam Mazawi had a call with IDEX's listing agents, who asked for a $5000 listing fee for their "decentralized exchange." When asked why they were charging this fee they said it's for a smart contract audit and legal audit. Hosam stated that we had an audit report from one of the top firms in the world and we have legal opinion from our legal counsel in our jurisdiction, so their cost was not needed in this case. They still refused, claiming that they don't trust other firms and they have to do it again.
If that's the case then how did the WHEN token get listed on their exchange? This seems like cutting proof that IDEX doesn't do any smart contract audits or legal review before listing tokens on their exchange. So where is that $5000 going?

Looking for auditing service or due diligence service. Visit our Cointelligence Services page and learn more. 

About Binod Nirvan

Binod works as Smart Contract Auditor in Cointelligence. He has been exposing ERC20 code-based scam tokens or such tokens which have malicious and ill-intention towards investors. Binod has also worked with over a dozen blockchain startups assisting them in smart contract audits and reviewing decentralized applications.

About Hosam Mazawi

Hosam Mazawi is the CSO of Cointelligence, the data research & analysis firm. He is an expert strategist in the cryptocurrency field. Since 2017, he has served as an advisor for several ICOs such as Alprockz and Geon Network, guiding them in their marketing and business development efforts. Hosam is also the co-founder of the LemonUnit Boutique Software House, which is offering bespoke programming.