CVE-2018-13168
Description
An integer overflow in the mintToken function of the YGO (NetkillerBatchToken) Ethereum smart contract allows the owner to set any user's balance arbitrarily.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in the mintToken function of the YGO (NetkillerBatchToken) Ethereum smart contract allows the owner to set any user's balance arbitrarily.
Vulnerability
The mintToken function in the smart contract implementation for Yu Gi Oh (YGO), specifically the contract named NetkillerBatchToken, contains an integer overflow vulnerability [1][2]. This bug allows the contract owner to manipulate token balances in an arbitrary manner. The affected contract is deployed on the Ethereum blockchain and was identified in 2018. The overflow occurs in the minting logic, enabling the owner to set the balance of any user to any chosen value without proper arithmetic checks.
Exploitation
To exploit this vulnerability, an attacker must be the owner of the contract [1]. The owner can call the mintToken function with a crafted _value parameter that causes an integer overflow in the balance assignment. No special network position or additional authentication is required beyond the owner's control of the contract. The exploitation steps are: 1) the owner invokes mintToken specifying a target address and a large _value that overflows the user's balance variable; 2) the overflow results in the target address's balance being set to an arbitrary value chosen by the owner [1].
Impact
A successful exploit enables the contract owner to arbitrarily increase or decrease the token balance of any user [1]. This breaks the integrity of the token's total supply and individual holdings, potentially leading to loss of funds, manipulation of token distribution, or devaluation of the token. The impact is limited to the token contract itself, but the consequences for users holding YGO tokens can be severe, as the owner can effectively destroy or create tokens at will.
Mitigation
As of the available references, no official patch or fixed version has been released for the affected contract [1][2]. The vulnerability exists in the original code published on GitHub. Token holders were advised to trust only contracts that implement safe arithmetic operations, such as using the SafeMath library, to prevent integer overflows. The contract remains unpatched, and users interacting with it should exercise extreme caution or avoid it entirely.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.mdmitrex_refsource_MISC
- github.com/BlockChainsSecurity/EtherTokens/tree/master/NetkillerBatchTokenmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.