CVE-2018-14086 – This vulnerability allows attackers to exploit ... (How to Fix)

Q: What is the severity of CVE-2018-14086?

CVE-2018-14086 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to exploit an integer overflow in the SingaporeCoinOrigin (SCO) Ethereum smart contract. When the owner sets an excessively high sellPrice value, the multiplication in the sell() function overflows, potentially allowing attackers to manipulate token balances or steal funds. Anyone holding or transacting with the vulnerable SCO token contract is affected.

📋 TL;DR

This vulnerability allows attackers to exploit an integer overflow in the SingaporeCoinOrigin (SCO) Ethereum smart contract. When the owner sets an excessively high sellPrice value, the multiplication in the sell() function overflows, potentially allowing attackers to manipulate token balances or steal funds. Anyone holding or transacting with the vulnerable SCO token contract is affected.

💻 Affected Systems

Products:

SingaporeCoinOrigin (SCO) Ethereum token smart contract

Versions: All versions with the vulnerable code implementation

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific SCO token contract deployment on Ethereum blockchain. Not a traditional software vulnerability but a smart contract logic flaw.

📦 What is this software?

Mytoken by Mytoken Project

View all CVEs affecting Mytoken →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of funds from the smart contract, token manipulation allowing unlimited minting or theft, and permanent damage to token economics and investor trust.

🟠

Likely Case

Token holders lose funds through manipulated transactions, contract owner loses control over pricing mechanisms, and token value collapses due to loss of confidence.

🟢

If Mitigated

If proper overflow checks were implemented, the transaction would revert safely, preventing any financial loss while maintaining contract integrity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires calling the vulnerable sell() function after the owner sets a malicious sellPrice. Public proof-of-concept exists in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

1. Deploy a new, fixed version of the smart contract with proper overflow checks using SafeMath library. 2. Migrate all token holders to the new contract. 3. Abandon the vulnerable contract address.

🔧 Temporary Workarounds

Contract Owner Price Limitation

all

Contract owner should avoid setting sellPrice to extremely high values that could cause overflow

N/A

Token Holder Transaction Monitoring

all

Token holders should monitor for unusual price settings and avoid selling when suspicious values are detected

N/A

🧯 If You Can't Patch

Immediately stop all trading and transfers involving the vulnerable SCO token
Communicate the risk to all token holders and recommend moving to alternative, secure tokens

🔍 How to Verify

Check if Vulnerable:

Review smart contract source code for missing overflow checks in sell() function when multiplying amount * sellPrice

Check Version:

Check Ethereum contract address and verify it matches the fixed contract deployment

Verify Fix Applied:

Verify new contract uses SafeMath library or explicit overflow checks for all arithmetic operations

📡 Detection & Monitoring

Log Indicators:

Unusually large sellPrice settings in contract events
Failed transactions due to overflow reverts
Abnormal token balance changes

Network Indicators:

High gas usage for sell transactions
Multiple failed sell attempts from same addresses

SIEM Query:

N/A for blockchain transactions - monitor using blockchain explorers and smart contract event logs

📊 Metadata

CVE ID: CVE-2018-14086

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: July 16, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/hellowuzekai/blockchains/blob/master/overflow1.md Exploit,Third Party Advisory
https://github.com/hellowuzekai/blockchains/blob/master/overflow1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14086, you might also want to check these: