CVE-2018-13175

Vulnerability

The mintToken function in the AIChain Ethereum smart contract (an ERC-20-like token) contains an integer overflow vulnerability [1]. The function allows the owner to mint new tokens to any address without proper overflow checks, enabling the owner to set the balance of an arbitrary user to any value [1][2]. This affects the contract code as deployed on the Ethereum blockchain, specifically the version found in the AIChain repository [2].

Exploitation

An attacker who is the contract owner (or gains control of the owner account) can call the mintToken function with a large mintedAmount parameter, causing an integer overflow in the balance update arithmetic [1]. The transaction requires only the owner's private key; no special network position or user interaction is needed [1][2]. The overflow allows the owner to assign any desired balance to any address, including themselves [1].

Impact

Successful exploitation gives the owner complete control over token supply and distribution [1]. They can arbitrarily inflate their own balance or the balance of any other user, effectively compromising the token's integrity [1]. Since the contract is immutable after deployment, the inflated supply cannot be corrected, potentially leading to loss of trust and financial value for other holders [2].

Mitigation

No fix was released for this specific contract; the vulnerability exists in the deployed AIChain contract [1][2]. The token has likely been abandoned or is considered compromised [2]. Users should avoid interacting with this contract and treat any remaining tokens as valueless [1][2].