CVE-2018-13159

Vulnerability

The mintToken function in the bankcoin (BNK) Ethereum smart contract contains an integer overflow vulnerability. This flaw allows the contract owner to set the balance of any user to an arbitrary value [1], [2]. The vulnerable contract is deployed on the Ethereum blockchain; specific version information is not provided in the references.

Exploitation

The attacker must be the owner of the bankcoin contract. By calling the mintToken function with a carefully crafted large value, the integer overflow occurs, enabling the owner to assign any desired balance to any chosen address. No additional privileges or user interaction are required beyond the owner's access [2].

Impact

Successful exploitation grants the contract owner complete control over token balances. This can be used to inflate the total supply arbitrarily, assign excessive tokens to the attacker's address, or drain other users' holdings. The integrity of the token is completely compromised, as balances can be manipulated at will [1], [2].

Mitigation

No official fix or updated contract version is disclosed in the available references. Users should avoid interacting with the bankcoin contract and consider it malicious. As of the publication date (2018-07-05), no workaround exists other than discontinuing use of the token [2].