CVE-2018-13595

Vulnerability

The mintToken function in the BitStore Ethereum token smart contract contains an integer overflow vulnerability [1]. The function allows the contract owner to mint new tokens and assign them to any address. Due to insufficient arithmetic validation, the totalSupply and user balance updates can overflow, enabling the owner to set an arbitrary user's balance to any value [2]. Affected versions include all deployments of the BitStore contract as described in the repository [2].

Exploitation

An attacker who is the contract owner can call mintToken with a large mintedAmount value that causes an integer overflow in the balance addition. This allows the owner to set the balance of any target address to a desired value, including extremely high amounts, without requiring any additional privileges or user interaction [1][2].

Impact

Successful exploitation allows the contract owner to arbitrarily inflate the token supply and assign any balance to any address. This can lead to complete loss of token value, manipulation of token distribution, and potential theft of funds from other users if the inflated tokens are traded or used in other contracts [1][2].

Mitigation

No official fix has been published for the BitStore contract. The vulnerability is inherent in the smart contract code as deployed. Users should avoid interacting with this token contract. The issue is similar to other integer overflow vulnerabilities documented in the EtherTokens repository [1]. As of the publication date (2018-07-09), no patched version is available.