CVE-2018-12703

Name: CVE-2018-12703
Creator: NVD / NIST
Published: 2018-06-25T10:29:00.267+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.09%

Last modified Jun 17, 2026

CVE-2018-12703 is a vulnerability of currently unknown severity. The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the "evilReflex" issue. NOTE: a PeckShield disclosure states "some researchers have independently discussed the mechanism of such vulnerability.". EPSS estimates a 1.09% chance of exploitation in the next 30 days.

Description

The approveAndCallcode function of a smart contract implementation for Block 18 (18T), an tradable Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer the contract's balances into their account) because the callcode (i.e., _spender.call(_extraData)) is not verified, aka the "evilReflex" issue. NOTE: a PeckShield disclosure states "some researchers have independently discussed the mechanism of such vulnerability."

Metrics

EPSS Probability

1.09%

61.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions
Block18	Block18	All versions

References

https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-WithdrawalsThird Party Advisory
https://peckshield.com/2018/06/23/evilReflex/Exploit, Third Party Advisory
https://huobiglobal.zendesk.com/hc/en-us/articles/360000110521-HADAX-Suspends-18T-and-GVE-Deposits-and-WithdrawalsThird Party Advisory
https://peckshield.com/2018/06/23/evilReflex/Exploit, Third Party Advisory

Timeline

Published: Jun 25, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-12703?

How severe is CVE-2018-12703?

Severity scoring for CVE-2018-12703 is pending analysis. The EPSS model estimates a 1.09% probability of exploitation in the next 30 days.

How do I fix CVE-2018-12703?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-12703?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST