CVE-2018-13213

Vulnerability

The TravelCoin (TRV) Ethereum token smart contract contains an integer overflow vulnerability in its sell function. Specifically, the calculation amount * sellPrice can overflow to zero when sellPrice is set to a sufficiently large value, such as 0x8000000000000000000000000000000000000000000000000000000000000000 [1]. This allows a seller to send amount tokens but receive zero ETH in return. The affected code is present in the TravelCoinToken contract [2].

Exploitation

An attacker (typically the contract owner) can set sellPrice to an extremely high value using the setPrices() function [1]. When a victim attempts to sell multiple tokens (e.g., 2 tokens), the multiplication amount * sellPrice overflows, resulting in zero. The contract then transfers the tokens from the seller to the contract balance and attempts to send zero ETH to the seller, effectively stealing the tokens [1]. No additional privileges or user interaction beyond holding tokens are required.

Impact

A seller loses their tokens without receiving any ETH in return. The contract retains the tokens, which can be later manipulated or sold by the owner. This leads to direct financial loss for sellers and undermines trust in the token [1].

Mitigation

The vulnerability exists in the TravelCoin contract code, and no official fix has been published as of the CVE release date [2]. Users should avoid using the affected smart contract. As a workaround, contract developers should implement safe arithmetic operations (e.g., using SafeMath library) to prevent overflows. Consider migrating to a token with audited contract code.