CVE-2018-13158

Vulnerability

The mintToken function in the AssetToken smart contract, an Ethereum token, contains an integer overflow vulnerability. The function does not perform arithmetic validation when increasing a user's balance, allowing the owner to set the balance of an arbitrary user to any value. The vulnerable contract is part of the AssetToken project [1][2].

Exploitation

An attacker who is the contract owner can call the mintToken function with a large amount, causing an overflow in the balance addition. By carefully selecting input values, the owner can set any user's token balance to a desired value without equivalent token minting limits [1].

Impact

A contract owner can arbitrarily increase or decrease the token balance of any user, directly manipulating token supply and user holdings. This undermines the token's integrity and can lead to financial loss or manipulation of the token economy [1].

Mitigation

No fix has been publicly released for the AssetToken contract. The reference indicates the vulnerability follows the same pattern as other tokens in the EtherTokens repository [1]. Users should avoid using this unpatched contract; no workaround is available aside from replacing the contract with a safe version that includes integer overflow protection.