CVE-2018-13558

Vulnerability

The mintToken function in the rhovit Ethereum token smart contract contains an integer overflow vulnerability [1]. The contract allows the owner to call mintToken to mint tokens to a specified address. Due to insufficient arithmetic checks, an overflow can occur in the balance update, enabling the owner to set the balance of any user to an arbitrary value [2]. This affects the rhovit token contract as implemented in the EtherTokens repository.

Exploitation

The attacker must be the owner of the contract, as mintToken is typically restricted to the owner. The owner calls mintToken with a large mintedAmount parameter resulting in an integer overflow when updating the recipient's balance. This overflows and sets the balance to a desired value (e.g., a very high value).

Impact

An owner can arbitrarily set any user's token balance to any value, potentially inflating supply or manipulating balances. This can lead to loss of funds for other users or manipulation of the token's economy.

Mitigation

No fix has been published in the available references. Developers should upgrade to a version with safe arithmetic (e.g., using SafeMath). The contract is part of EtherTokens, which may be unaudited. No CVE-related patch is mentioned.