CVE-2018-13230
Description
An integer overflow in the DestiNeed (DSN) token smart contract's sell function allows a seller to lose tokens without receiving Ether.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in the DestiNeed (DSN) token smart contract's sell function allows a seller to lose tokens without receiving Ether.
Vulnerability
The sell function in the DestiNeed (DSN) Ethereum token smart contract, as implemented in contract address 0xab3a93b317def7426c8345538690036cb92a11e6, contains an integer overflow vulnerability. The line msg.sender.send(amount * sellPrice) performs a multiplication that can overflow when sellPrice is set to a very large value (e.g., 0x8000000000000000000000000000000000000000000000000000000000000000) and amount is small, causing the product to be zero. This code path is reachable when the contract owner uses the setPrices function to manipulate sellPrice. The vulnerable contract version is the one deployed at the time of the analysis (2018) [1][2].
Exploitation
An attacker who is the contract owner can set sellPrice to an extremely high value using setPrices. When a user then calls sell with a small amount (e.g., 2 tokens), the multiplication amount * sellPrice overflows to zero. The send call thus sends 0 Ether to the seller, while the contract transfers amount tokens from the seller to the contract. The user loses their tokens without receiving any Ether in return. No special network position or authentication beyond being the owner for price setting is required; a user simply needs to call sell after the price has been manipulated [1].
Impact
A seller loses the tokens they intended to sell, receiving zero Ether. The attacker (contract owner) retains the tokens in the contract balance. This results in a direct financial loss for the seller and enriches the attacker. The CIA outcome is primarily a compromise of availability (loss of assets) and integrity (unfair manipulation of contract logic) [1].
Mitigation
At the time of disclosure (July 2018), no official patch or updated contract was identified in the available references. The vulnerability is inherent in the contract's arithmetic; a fixed version would need to use a safe math library or check for overflow before multiplication. Users are advised to avoid interacting with this contract or any similar ones that do not use overflow-safe arithmetic [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/BlockChainsSecurity/EtherTokens/blob/master/ETHEREUMBLACK/sell%20integer%20overflow.mdmitrex_refsource_MISC
- github.com/BlockChainsSecurity/EtherTokens/tree/master/DestiNeedTokenmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.