CVE-2018-13172

Vulnerability

The mintToken function in the bzxcoin (BZX) smart contract (an Ethereum token) contains an integer overflow vulnerability [1]. This flaw allows the contract owner to set the balance of any arbitrary user to any value. The affected contract is part of the bzxcoin repository [2]. The vulnerability is a classic integer overflow in the minting logic, where the addition of mintedAmount to the total supply and user balance can overflow, leading to uncontrolled balance manipulation.

Exploitation

An attacker who is the owner of the contract can exploit this vulnerability by calling the mintToken function with a large mintedAmount value that causes an integer overflow. No special network position or authentication beyond being the contract owner is required. The owner simply invokes the function with a crafted amount to set the target user's balance to any desired value.

Impact

Successful exploitation allows the contract owner to arbitrarily increase or decrease the balance of any user, effectively controlling the token supply and distribution. This can lead to complete loss of trust in the token's integrity, financial loss for other holders, and potential manipulation of token-based systems.

Mitigation

As of the publication date (2018-07-05), no official fix has been released for the bzxcoin contract. The vulnerability is inherent in the smart contract code. Users should avoid using this token contract. The Ethereum community recommends using safe math libraries (e.g., OpenZeppelin's SafeMath) to prevent integer overflows. The contract may be considered abandoned or unmaintained.