CVE-2018-13587

Vulnerability

The mintToken function in the DECToken smart contract (an Ethereum token) has an integer overflow vulnerability. The function allows the contract owner to mint tokens to any address without validating the total supply or balance, enabling an overflow that sets the target balance to an arbitrary value. Affected versions include all deployments of the DECToken contract as found in the referenced repository [1].

Exploitation

An attacker who is the contract owner can trigger the integer overflow by calling mintToken with a large mintedAmount value. The overflow occurs because the contract uses standard arithmetic operations without safe math libraries, allowing the sum to wrap around. The owner can then set the balance of any user to any desired value [2].

Impact

By exploiting this overflow, the owner can inflate the total token supply and arbitrarily manipulate token holdings of any address. This undermines the integrity of the token's value and can lead to loss of funds for legitimate holders. The owner gains full control over all token balances.

Mitigation

As of the publication date, no fix has been released for the DECToken contract. The vulnerability is inherent in the code design. To mitigate, token contracts should use safe math libraries like OpenZeppelin's SafeMath to prevent integer overflows. Users should avoid interacting with DECToken or similar vulnerable contracts [1][2].