Login Sign Up

CVE-2018-14084

9.8 CRITICAL

📋 TL;DR

This vulnerability allows an attacker to exploit an integer overflow in the MKCB Ethereum token smart contract when the owner sets a large sellPrice value. Attackers can manipulate token sales to cause incorrect calculations, potentially stealing funds or disrupting token economics. Anyone holding or transacting with the vulnerable MKCB token contract is affected.

💻 Affected Systems

Products:
  • MKCB Ethereum token smart contract
Versions: All versions before the fix
Operating Systems: Not applicable - smart contract vulnerability
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific MKCB token contract implementation on Ethereum blockchain

📦 What is this software?

Myadvancedtoken by Myadvancedtoken Project

View all CVEs affecting Myadvancedtoken →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of funds for token holders through manipulated sell calculations, potentially draining the entire contract balance.

🟠

Likely Case

Partial loss of funds through manipulated token sales, disruption of token market operations, and loss of investor confidence.

🟢

If Mitigated

No impact if contract has been upgraded or funds have been migrated to a patched version.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the contract owner to set malicious sellPrice values, making it a privilege escalation/insider threat scenario

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched contract version (specific version unknown from references)

Vendor Advisory: https://github.com/hellowuzekai/blockchains/blob/master/README.md

Restart Required: No

Instructions:

1. Deploy new patched smart contract version 2. Migrate all funds and token balances to new contract 3. Update all references to use new contract address 4. Announce migration to token holders

🔧 Temporary Workarounds

Contract migration

all

Create and deploy a new smart contract with proper integer overflow protection using SafeMath libraries

// Solidity example using OpenZeppelin SafeMath
import "@openzeppelin/contracts/math/SafeMath.sol";
using SafeMath for uint256;

🧯 If You Can't Patch

  • Freeze the vulnerable contract and stop all transactions
  • Implement monitoring for unusual sell transactions and price changes

🔍 How to Verify

Check if Vulnerable:

Review contract source code for sell() function without SafeMath protection and setPrices() function allowing large sellPrice values

Check Version:

Check contract address and verify against known vulnerable addresses

Verify Fix Applied:

Verify new contract uses SafeMath for all arithmetic operations and has proper input validation

📡 Detection & Monitoring

Log Indicators:

  • Unusually large sellPrice values being set
  • Abnormal sell transaction volumes or values

Network Indicators:

  • Transactions to vulnerable contract address
  • Price manipulation patterns in token sales

SIEM Query:

Not applicable - blockchain transactions require specialized monitoring tools

📊 Metadata

CVE ID: CVE-2018-14084
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: July 16, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14084, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2018-20177 9.8

CVE-2018-20177 is a critical integer overflow vulnerability in rdesktop RDP client that leads to hea...

Same vulnerability type (CWE-190)
CVE-2018-5095 9.8

An integer overflow vulnerability in the Skia graphics library allows attackers to trigger use of un...

Same vulnerability type (CWE-190)