A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script.