CVE-2018-13185

Vulnerability

The mintToken function in the appcoins (APPC) Ethereum smart contract [2] contains an integer overflow vulnerability. The contract code does not perform overflow checks when updating a user's balance during token minting. This affects the deployed contract as described in the reference repository [1]. The vulnerability exists in the contract's logic and does not require a specific configuration; it is inherent in the flawed arithmetic operation.

Exploitation

An attacker who is the owner of the contract can exploit this vulnerability. The owner calls the mintToken function with a target address and an amount. Because the balance addition is unchecked, the owner can supply a large amount that causes an integer overflow, resulting in the target user's balance being set to any arbitrary value, including a very large number controlled by the attacker.

Impact

A successful exploit allows the contract owner to arbitrarily inflate the token balance of any Ethereum address. This directly violates the intended token supply rules and can lead to manipulation of the token's value, theft from other users, or disruption of any application relying on the token's integrity.

Mitigation

No official fix or patched version has been released by the contract developers according to the available references. The vulnerability exists in the deployed contract and remains unaddressed. Users are advised to consider the appcoins token as vulnerable and to avoid interacting with the affected contract. There is no known CISA KEV listing for this vulnerability.