CVE-2018-13068

Vulnerability

The mintToken function in the AzurionToken (AZU) smart contract on Ethereum has an integer overflow vulnerability in the line balanceOf[target] += mintedAmount [1]. Both balanceOf[target] and mintedAmount are uint (unsigned integer) types, so the addition can overflow, wrapping around to a low value. This affects the contract at address 0x9A7069c319E0052e071fcB437c8AA3343555dadC as seen on Etherscan [1].

Exploitation

An attacker who is the contract owner can call mintToken with a large mintedAmount value (e.g., 0x8000000000000000000000000000000000000000000000000000000000000000) to overflow the target's balance [1]. By minting twice with such values, the owner can set any user's balance to any desired value, including zero [1]. No special privileges beyond owner status are needed.

Impact

A successful attack allows the owner to arbitrarily control the token balance of any address [1]. This can be used to inflate or deflate token holdings, potentially leading to financial loss, theft of tokens, or manipulation of the token's distribution.

Mitigation

Not yet disclosed in the available references. Developers should use SafeMath library or explicit overflow checks to prevent integer overflows in arithmetic operations.