CVE-2018-13478

Vulnerability

The mintToken function in the DMPToken smart contract (an Ethereum token) contains an integer overflow vulnerability. The function performs arithmetic on user-supplied values without proper overflow checks, allowing the owner to set the balance of any arbitrary user to any value. The vulnerable code is present in the DMPToken contract as hosted in the referenced repository [1][2]. No specific version numbers are provided, but the contract is part of the EtherTokens collection.

Exploitation

An attacker must be the contract owner (the address that deployed the contract). The owner can call mintToken with a large mintedAmount value that causes an integer overflow in the balance update, resulting in an arbitrary balance for the target address. No additional authentication or user interaction is required beyond owner privileges.

Impact

Successful exploitation allows the owner to inflate or deflate any user's token balance arbitrarily. This can lead to total loss of token value, manipulation of token supply, and potential theft of funds from other users if the token is traded or used in other contracts.

Mitigation

No fix or patched version has been disclosed in the available references [1][2]. The contract remains vulnerable as published. Users should avoid using the DMPToken contract or any similar contract that lacks safe arithmetic operations (e.g., using OpenZeppelin's SafeMath library).