CVE-2018-13217
Description
The sell function of a smart contract implementation for CoinToken, an Ethereum token, has an integer overflow in which "amount * sellPrice" can be zero, consequently reducing a seller's assets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in CoinToken smart contract's sell function allows sellers to lose tokens without receiving Ether.
Vulnerability
The CoinToken Ethereum smart contract, an ERC-20-like token, contains an integer overflow vulnerability in the sell(uint256 amount) function. The expression amount * sellPrice can overflow to zero when sellPrice is set to a large value (e.g., 0x8000000000000000000000000000000000000000000000000000000000000000), causing the seller to receive zero Ether regardless of the actual amount. This occurs because Solidity's built-in arithmetic wraparound was not checked in the contract code. The vulnerable code is present in the CoinToken contract and similar tokens such as ETHEREUMBLACK (ETCBK). [1][2]
Exploitation
An attacker (typically the contract owner) can call the setPrices() function to set sellPrice to an extremely large value that, when multiplied by any reasonable amount, causes an integer overflow to zero. When a user then sells tokens by calling sell(amount), the contract deducts the tokens from the seller's balance but sends amount * sellPrice Ether, which is zero. The user receives no Ether in exchange for their tokens. No special network position or authentication beyond user interaction is required; the seller simply executes the normal sell function. [1]
Impact
Successful exploitation results in the seller losing their tokens without receiving any Ether in return. The contract retains the transferred tokens, effectively stealing the seller's assets. This is a direct financial loss for the token holder and renders the token unsafe for trading. The impact is limited to token value, not broader system compromise. [1]
Mitigation
No fix has been released by the CoinToken project; the vulnerability exists in the original contract code as published. Users should avoid interacting with any token contracts that exhibit the vulnerable sell pattern. The contract owner can set a benign sellPrice to prevent exploitation, but this is not guaranteed. The vulnerability is similar to those reported for other tokens listed in the reference [1]. As of the publication date (2018-07-05), no official patch or advisory from the CoinToken team is known. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/BlockChainsSecurity/EtherTokens/blob/master/ETHEREUMBLACK/sell%20integer%20overflow.mdmitrex_refsource_MISC
- github.com/BlockChainsSecurity/EtherTokens/tree/master/CoinTokenmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.