CVE-2018-13626

Vulnerability

The mintToken function in the SemainToken smart contract (an Ethereum token) contains an integer overflow vulnerability. This allows the contract owner to set the balance of any arbitrary user to any value. The affected contract is the SemainToken implementation as found in the EtherTokens repository [2]. The vulnerability is a classic integer overflow in the mint function, as described in the reference [1].

Exploitation

The attacker must be the contract owner (the address that deployed the contract). No other privileges or user interaction are required. The owner simply calls the mintToken function with a large mintedAmount value that causes an integer overflow when updating the target user's balance, resulting in an arbitrary balance.

Impact

The owner can arbitrarily set the balance of any user to any value, effectively controlling the token supply and distribution. This can lead to theft of funds, manipulation of token economics, and complete loss of trust in the token.

Mitigation

No official fix has been published for SemainToken. The vulnerability is inherent in the contract code as deployed. Users should avoid using this token contract. The reference [1] provides a general description of the integer overflow pattern, but no specific patch is available. The contract may be considered abandoned or unaudited.