The Creat future (CF) contract has an unverified from sender security vulnerability
Anyone in the Creat future contract can call the _transfer method to transfer tokens. When the administrator sets the useWhiteListSwith variable to false, the _transfer method will not judge whether msg.sender, from, and to are in the whitelist, that is, the from address It can be any address. The attacker can transfer the tokens by passing in the sender’s from as the address of others and to as the address of the transfer of funds under his control. At present, there are many addresses that have made profits, and it is not possible to determine which ones are Official addresses, some profitable addresses have transferred funds to the mixing platform Tornado.Cash.
The current contract administrator has set the useWhiteListSwith variable to true. Users who are not on the whitelist will not be able to use the _transfer method normally.