CVE-2018-13674

Vulnerability

The mintToken function in the ComBillAdvancedToken smart contract (an Ethereum token) contains an integer overflow vulnerability. The contract allows the owner to mint new tokens and assign them to any address, but the arithmetic operations used to update the total supply and the target balance do not properly check for overflow. This flaw exists in the contract implementation available at the referenced repository [1][2]. The affected version is not explicitly versioned, but the code is published in the master branch of the EtherTokens repository.

Exploitation

An attacker who is the contract owner can directly exploit this vulnerability by calling mintToken with a large mintedAmount value that causes an integer overflow in the Solidity arithmetic. No special network position, additional authentication, or user interaction is required. The owner simply submits a transaction with crafted parameters that trigger the overflow [1].

Impact

By exploiting the integer overflow, the contract owner can set the balance of an arbitrary user to any desired value, including extremely large or negative amounts. This can lead to a complete loss of trust in the token's supply integrity, potentially enabling price manipulation, fraudulent transfers, and disruption of any application relying on the token's balance accuracy [1].

Mitigation

No official patched version of ComBillAdvancedToken has been publicly released in the references provided. The vulnerability is inherent to the unmodified Solidity contract code. The recommended mitigation is to use safe arithmetic libraries (e.g., OpenZeppelin's SafeMath) and to redeploy the contract with proper overflow checks. The contract is not listed on CISA's Known Exploited Vulnerabilities catalog. As of the publication date (2018-07-09), developers should avoid using this contract without implementing the fix [1][2].