CVE-2018-13195

Vulnerability

The mintToken function in the Cranoo (CRN) Ethereum smart contract suffers from an integer overflow vulnerability. The function does not validate the amount parameter before using it in arithmetic operations, allowing the owner to compute a new balance that can wrap around due to overflow. This affects the Cranoo token contract as described in the repository of vulnerable Ether tokens [1][2]. The exact contract version is not specified, but the vulnerability is present in the Cranoo implementation.

Exploitation

The attacker must be the owner of the smart contract. The owner can call the mintToken function with a carefully chosen large mintedAmount value that causes an integer overflow when added to the recipient's balance. The overflow results in a new balance that is much smaller or can be controlled. The owner can set the balance of any arbitrary user to any value they desire by exploiting this overflow [1].

Impact

A successful exploitation allows the owner to arbitrarily inflate or deflate the token balance of any address. This effectively breaks the core accounting of the token, enabling the owner to mint an unlimited number of tokens or to corrupt user balances. The impact is a complete loss of supply integrity and trust in the token economics [1].

Mitigation

No official patch or fixed version has been published for the Cranoo contract. The affected contract remains vulnerable as disclosed in the EtherTokens audit repository [1][2]. There is no mention of this CVE on the CISA Known Exploited Vulnerabilities Catalog. As a workaround, any user should treat this token as untrustworthy and avoid using it until a fixed contract with proper overflow checks is deployed.