CVE-2018-13187

Vulnerability

The mintToken function in the CIBN Live Token (CIBN LIVE) smart contract, an Ethereum token, contains an integer overflow vulnerability [1]. The function performs arithmetic on the totalSupply and balanceOf mappings without using SafeMath or similar overflow protection. This allows the contract owner to pass a large mintedAmount value that, when added to the current total supply, causes an integer overflow, resulting in a small or zero effective increase. The overflow enables the owner to set the balance of any arbitrary user to any desired value. The affected contract is the CIBN Live Token implementation as deployed on the Ethereum blockchain [2]. No specific version numbers are provided, but the vulnerability exists in the contract code as published in the referenced repository.

Exploitation

An attacker must be the contract owner (the address that deployed the contract) to call the mintToken function. The owner calls mintToken with a target address and a mintedAmount that, when added to the current totalSupply, exceeds the maximum uint256 value, causing an overflow. Due to the overflow, the totalSupply wraps around to a small number, and the target address's balance is set to the overflowed value (which can be arbitrarily chosen by the attacker). No user interaction or additional privileges are required beyond owner access.

Impact

A successful exploitation allows the contract owner to arbitrarily set the token balance of any user address. This can be used to inflate the owner's own balance, drain tokens from other users, or manipulate the token supply. The impact includes complete loss of token value integrity, potential theft of funds, and loss of trust in the token. The attacker gains full control over token distribution and can effectively create or destroy tokens at will.

Mitigation

As of the publication date (2018-07-05), no fix or patched version of the CIBN Live Token contract has been released. The vulnerability is inherent in the contract code, and users are advised to avoid interacting with this token. The contract should be replaced with a version that uses SafeMath for arithmetic operations to prevent integer overflows. No workaround exists for the deployed contract. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.