CVE-2018-13566

Vulnerability

The mintToken function in the RETNToken smart contract (an Ethereum token) contains an integer overflow vulnerability. The function allows the contract owner to mint new tokens for any address. The overflow occurs in the line totalSupply += mintedAmount; and balances[target] += mintedAmount; when mintedAmount is large enough to exceed the maximum value of a uint256 variable. This can be triggered by the owner calling mintToken with a sufficiently large mintedAmount. The affected versions are any RETNToken contract based on the code at [1].

Exploitation

The attacker must be the contract owner (the address that deployed the contract). No special network position or user interaction is needed. The owner simply calls mintToken(target, mintedAmount) with a mintedAmount value that, when added to the current totalSupply or the target's balance, causes a uint256 overflow. The overflow wraps the value to a small number (e.g., 0), effectively granting the target address an enormous balance (since the overflowed addition results in a very large actual balance due to modulo arithmetic). The sequence is: owner chooses a target, computes a large mintedAmount (e.g., 2^256 - currentSupply), calls the function, and the target's balance becomes astronomically high.

Impact

The attacker (contract owner) can set the balance of any user to any arbitrary value. This breaks the token's supply invariants (total supply can be inflated arbitrarily) and allows the owner to effectively drain all tokens from other users by transferring from those inflated balances. The compromise is total loss of token value and functionality; the owner gains unlimited control over all balances.

Mitigation

No fix has been published for this specific RETNToken contract as of the reference date (2018-07-09). The vulnerability is inherent in the unchecked addition pattern. A general mitigation is to use SafeMath library functions (e.g., add) that revert on overflow, or to check mintedAmount <= MAX_UINT256 - totalSupply before performing the addition. The reference [1] describes the same issue in GEMCHAIN and recommends using SafeMath.