CVE-2018-13609
Description
The mintToken function of a smart contract implementation for CSAToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSAToken smart contract mintToken function has an integer overflow enabling the owner to arbitrarily set any user's balance.
Vulnerability
The mintToken function in the CSAToken Ethereum smart contract (an implementation for CSAToken) contains an integer overflow vulnerability. The function does not check for overflow when computing the new total supply and the recipient's balance, allowing the owner to set the balance of an arbitrary user to any value. The vulnerable contract is part of the CSAToken project and similar to the GEMCHAIN example described in the reference [1]. Specific versions affected are those deployed prior to discovery (2018-07-09) [1][2].
Exploitation
The attacker must be the contract owner, which in Ethereum is the address that deployed the contract. To exploit, the owner calls the mintToken function with a large mintedAmount that causes an integer overflow in the balance update arithmetic. No special network position or user interaction is required beyond the owner's transaction. The overflow is triggered by supplying a value that wraps the balanceOf[target] and totalSupply around the 256-bit unsigned integer limit [1].
Impact
A successful exploitation allows the contract owner to arbitrarily set the token balance of any user to any value (including zero or a huge number). This breaks the intended token supply constraints and can lead to theft of value, manipulation of tokenomics, or denial of service. The CIA impact is primarily integrity loss (balance manipulation) and potential availability issues if total supply becomes inconsistent [1][2].
Mitigation
A fix should be applied by using the SafeMath library (or similar) to perform arithmetic operations that revert on overflow. The vulnerable CSAToken contract should be replaced or upgraded with a version that uses safe arithmetic. The reference repository (BlockChainsSecurity/EtherTokens) includes examples of the vulnerability and likely provides corrected versions [1][2]. No specific patched version number is disclosed in the references, but the issue was documented publicly on 2018-07-09. If the contract is still in use, the owner should migrate to a safe implementation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.mdmitrex_refsource_MISC
- github.com/BlockChainsSecurity/EtherTokens/tree/master/CSATokenmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.