CVE-2018-13326

Vulnerability

The Bittelux (BTX) Ethereum token smart contract contains an integer overflow vulnerability in the transfer and transferFrom functions, as reported in the contract documentation [1]. The overflow occurs when adding _value to balances[_to] without proper bounds checking. However, this finding has been disputed by a third party [2], who argues that the sum of balances is always bounded by totalSupply, which itself is less than 2^256 - 1, making the overflow unreachable under normal operation.

Exploitation

According to the original report, an attacker could craft a transaction with a large _value to cause an overflow in the recipient's balance, potentially leading to unintended token minting or balance manipulation. However, the dispute [2] demonstrates that because _value <= balances[msg.sender] and balances[msg.sender] + balances[_to] <= totalSupply <= 2^256 - 1, the addition _value + balances[_to] cannot overflow. Therefore, no practical exploitation path exists under the contract's invariants.

Impact

If the overflow were exploitable, an attacker could arbitrarily increase the balance of any address, leading to inflation of token supply and loss of value for legitimate holders. However, the disputed analysis [2] concludes that the overflow condition is mathematically impossible given the contract's constraints, so the actual impact is null.

Mitigation

No fix has been released because the vulnerability is considered a false positive by the disputing party [2]. The contract code as available in the repository [1] remains unchanged. Users are advised to review the dispute analysis and verify the contract's invariants independently. No CVE-related patch is expected.