CVE-2018-13608

Vulnerability

The mintToken function in the archercoin Ethereum smart contract has an integer overflow vulnerability. The contract code, as shown in the reference repository [2], allows the owner to mint new tokens by adding to a target user's balance without proper bounds checking. This can result in an overflow, enabling the owner to set an arbitrary user's balance to any value. The vulnerability exists in the archercoin contract as implemented in the EtherTokens project.

Exploitation

Exploitation requires that the attacker is the owner of the smart contract. The owner can call mintToken with a large mintedAmount parameter, causing an integer overflow when adding to the user's existing balance. This bypasses the intended token supply cap and lets the owner assign an extremely large balance to any address.

Impact

An attacker who is the contract owner can inflate the token supply and assign arbitrary balances to any user. This can lead to loss of token value, manipulation of market cap, and denial of service for legitimate token holders. The integrity of the token economics is completely compromised.

Mitigation

The archercoin contract itself does not have a known fix. The reference repository [1] highlights similar integer overflow issues in other tokens, suggesting that developers should use the SafeMath library to prevent arithmetic overflows. A workaround is to avoid using the archercoin token or to deploy a patched version of the contract that uses SafeMath. No official patched version or date is documented in the available references.