CVE-2018-13167

Vulnerability

The mintToken function in the Yu Gi Oh (YGO) Ethereum token smart contract contains an integer overflow vulnerability [1][2]. The contract, as implemented in the ygo repository, allows the owner to mint tokens to any address without proper overflow checks [2]. This affects all versions of the YGO token contract as present in the referenced repository.

Exploitation

An attacker who is the owner of the contract can call the mintToken function with a large mintedAmount value that causes an integer overflow in the balance update [1]. No additional authentication or user interaction is required; the owner simply invokes the function with a crafted parameter.

Impact

Successful exploitation allows the contract owner to set the balance of any arbitrary user to any value, effectively creating or destroying tokens at will [1][2]. This can lead to complete loss of token value, manipulation of supply, and financial fraud.

Mitigation

No official fix or patched version has been disclosed in the available references [1][2]. Users should avoid interacting with the YGO token contract and consider it untrustworthy. The contract may be abandoned or unmaintained.