CVE-2018-13585

Vulnerability

The mintToken function in the CHERRYCOIN smart contract (Ethereum token) contains an integer overflow vulnerability. The function allows the owner to mint tokens to a target address, but due to an unchecked arithmetic operation in the line balanceOf[target] += mintedAmount, an overflow can occur if mintedAmount is chosen appropriately. This is a classic vulnerability in many Ethereum tokens, as described in [1]. The affected contract is the CHERRYCOIN token, as seen in [2]. No specific version is mentioned; the code at the time of the CVE is vulnerable.

Exploitation

The attacker must be the owner of the contract (the address that deployed it) or have owner privileges. By calling mintToken with a large mintedAmount, the owner can cause an integer overflow in the balanceOf mapping for any target address, setting its balance to a desired value. No user interaction or race condition is required; it is a direct call.

Impact

A successful attack allows the owner to arbitrarily set the balance of any user to any value (including extremely high or low values). This can lead to inflation of token supply, manipulation of token distribution, and potential loss of value for other token holders. The attacker gains control over the token economy.

Mitigation

No fix has been released for the CHERRYCOIN contract based on available references. Developers should implement overflow protection using SafeMath library or check for overflow before updating balances. Users should avoid tokens with known vulnerabilities and verify contract code.