CVE-2018-13660

Vulnerability

The mint function of the smart contract implementing BillionRewardsToken (an Ethereum token) contains an integer overflow vulnerability. This allows the contract owner to bypass the intended supply cap and set the balance of any user to an arbitrary value. The affected code is in the BillionRewardsToken contract as available in the EtherTokens repository [1]. No specific version is provided, but the contract is deployed on the Ethereum mainnet [1].

Exploitation

The attacker must be the owner of the BillionRewardsToken contract. The owner can call the mint function with a large _value parameter that, when added to the existing total supply or user balance, causes an integer overflow. This overflow results in the user's balance being set to an arbitrary value controlled by the attacker [2]. No additional privileges or user interaction are required beyond owner access.

Impact

A successful exploitation allows the contract owner to inflate the token supply by setting any user's balance to an arbitrary amount. This can lead to loss of funds for other token holders, manipulation of the token economy, and potentially draining liquidity pools or exchanges that rely on the contract's balance accounting [1][2].

Mitigation

As of the provided references, no patched version is available. The vulnerability is a design flaw in the contract code. Users should avoid using BillionRewardsToken or any contract that relies on an unprotected mint function with integer arithmetic. A proper fix would involve using SafeMath library functions for all arithmetic operations [2]. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.