CVE-2018-13650

Vulnerability

The mintToken function in the BitmaxerToken smart contract contains an integer overflow vulnerability. This flaw allows the contract owner to set the balance of any arbitrary user to any desired value. The vulnerability is present in all versions of the BitmaxerToken contract as described in the repository [2]. The integer overflow occurs due to lack of proper arithmetic bounds checking, as exemplified in similar token contracts [1].

Exploitation

An attacker who is the owner of the BitmaxerToken contract can directly call the mintToken function with a large value that triggers an integer overflow, thereby setting the balance of a target user to an arbitrarily high or low value. No other privileges or user interaction are required.

Impact

By exploiting this vulnerability, the owner can arbitrarily increase or decrease the balance of any Ethereum address holding BitmaxerToken, effectively stealing funds, creating tokens out of thin air, or destroying tokens. This compromises the integrity of the token's supply and the trust in the contract.

Mitigation

No official patch or fixed version has been disclosed for BitmaxerToken as of the publication date [2]. The recommended mitigation is to use SafeMath libraries or implement explicit overflow checks in the minting logic. Users should consider the contract as unsecure and avoid interacting with it.