cbcvebase.
CVE-2018-10376
published 2018-04-25

CVE-2018-10376: An integer overflow in the transferProxy function of a smart contract implementation for SmartMesh (aka SMT), an Ethereum ERC20 token, allows attackers to…

PriorityP271high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.82%
76.1th percentile
An integer overflow in the transferProxy function of a smart contract implementation for SmartMesh (aka SMT), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _fee and _value parameters, as exploited in the wild in April 2018, aka the "proxyOverflow" issue.

Detection & IOCsextracted from sources · hover to see the quote

commandtransferProxy called with value=0x8ff...ff and fee=0x700...01
  • The proxyOverflow exploit targets the transferProxy function in the SmartMesh (SMT) ERC20 contract; monitor for calls to transferProxy where fee+value overflows a 256-bit unsigned integer (i.e., fee+value wraps to 0 or a small number), bypassing the sender balance check at line 2.
  • Flag any transferProxy transaction where the crafted inputs satisfy fee+value = 0 (mod 2^256), as this makes all three sanity checks (lines 2, 4, and 5) evaluate to false, allowing unauthorized token minting.
  • Alert on post-transaction token balance increases of extreme magnitude (e.g., ~5×10^57 USD equivalent) in ERC20 contracts, which is a strong indicator of a proxyOverflow-style integer overflow exploit.
  • The vulnerability class 'proxyOverflow' affected 9 tradable ERC20 tokens simultaneously in April 2018; audit all ERC20 contracts with a transferProxy function for the same integer overflow pattern in the fee+value guard condition.
  • ·The attacker-controlled inputs require from=to≠msg.sender to be false (i.e., from=to=msg.sender is NOT required; the two unspecified address values are given as the same but different from the sender) — verify address relationship assumptions when writing detection logic.
  • ·The overflow occurs specifically in the guard expression (fee+value) used to check the sender's balance, not in the actual token transfer arithmetic at lines 8–10; detection must target the guard computation, not just the transfer lines.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.