CVE-2018-14063 – The increaseApproval function in Tracto (TRCT) ... (How to Fix)

Q: What is the severity of CVE-2018-14063?

CVE-2018-14063 has a CVSS score of 9.8 (CRITICAL). The increaseApproval function in Tracto (TRCT) ERC20 smart contract contains an integer overflow vulnerability. This allows attackers to manipulate token approval amounts, potentially stealing tokens from user accounts. Anyone holding or interacting with the TRCT token on Ethereum is affected.

📋 TL;DR

The increaseApproval function in Tracto (TRCT) ERC20 smart contract contains an integer overflow vulnerability. This allows attackers to manipulate token approval amounts, potentially stealing tokens from user accounts. Anyone holding or interacting with the TRCT token on Ethereum is affected.

💻 Affected Systems

Products:

Tracto (TRCT) ERC20 Token Smart Contract

Versions: All versions before the fix

Operating Systems: Not applicable - Ethereum blockchain

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of the vulnerable smart contract on Ethereum mainnet and testnets

📦 What is this software?

Tracto by Tracto

View all CVEs affecting Tracto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers drain all approved tokens from vulnerable wallets, causing complete loss of funds for token holders.

🟠

Likely Case

Targeted exploitation of high-value wallets to steal significant token amounts.

🟢

If Mitigated

No impact if users haven't approved the vulnerable contract or use patched versions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Integer overflow exploitation is well-understood in smart contracts; public GitHub issue shows proof of concept

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed version in GitHub repository

Vendor Advisory: https://github.com/tracto2/Tracto-ERC20/issues/1

Restart Required: No

Instructions:

1. Deploy patched smart contract version 2. Migrate token holders to new contract 3. Discontinue use of vulnerable contract

🔧 Temporary Workarounds

Revoke Token Approvals

all

Remove approval permissions for the vulnerable TRCT contract from your wallet

Use setApprovalForAll(contractAddress, false) or approve(contractAddress, 0)

🧯 If You Can't Patch

Avoid interacting with the TRCT token contract entirely
Move funds to wallets that have never approved the vulnerable contract

🔍 How to Verify

Check if Vulnerable:

Check if your wallet has approved the vulnerable TRCT contract address using Etherscan or wallet interface

Check Version:

Check contract source code on Etherscan for SafeMath implementation

Verify Fix Applied:

Verify new contract deployment and check that it uses SafeMath or similar overflow protection

📡 Detection & Monitoring

Log Indicators:

Unusually large approval amounts in transaction logs
Multiple approval transactions from same address

Network Indicators:

Transactions calling increaseApproval with large values
Suspicious contract interactions

SIEM Query:

Not applicable - blockchain transaction monitoring required

📊 Metadata

CVE ID: CVE-2018-14063

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: July 15, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/tracto2/Tracto-ERC20/issues/1 Third Party Advisory
https://github.com/tracto2/Tracto-ERC20/issues/1 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14063, you might also want to check these: