CVE-2018-13588

Vulnerability

The mintToken function in the Code47 (C47) Ethereum token smart contract has an integer overflow vulnerability. The function does not validate the mintedAmount parameter, allowing an attacker (the contract owner) to specify a value that, when added to the user's balance, causes an integer overflow. This vulnerability affects the contract implementation at commit 2e4f5c0b (referenced in the EtherTokens repository) [1][2].

Exploitation

The attacker must be the owner of the contract. By calling mintToken with a crafted mintedAmount value, the owner can trigger an integer overflow in the user's balance update. The overflow results in the balance being set to an arbitrary value controlled by the attacker [1][2].

Impact

Successful exploitation allows the contract owner to manipulate the balance of any user to any integer value, effectively enabling the theft of tokens, creation of artificial supply, or destabilization of the token economy. The owner gains full control over token balances [1][2].

Mitigation

At the time of publication (2018-07-09), no official fix or updated contract was released. The repository indicates the vulnerable code remains. Users should avoid using or investing in this contract. As of the available references, no KEV listing or known fix is documented [1][2].