CVE-2018-13675

Vulnerability

The mintToken function in the YAMBYO smart contract (Ethereum token) contains an integer overflow vulnerability [2]. The function does not properly check arithmetic operations, allowing the owner to mint an arbitrary number of tokens. This is a common pattern in vulnerable ERC-20 tokens [1]. The affected contract is the YAMBYO token implementation as found in the EtherTokens repository [2].

Exploitation

The attacker must be the contract owner (the address that deployed the contract). The owner calls mintToken with a target address and a large mintedAmount value that causes an integer overflow in the balance update. No user interaction or special network position is required beyond being the owner.

Impact

By exploiting the overflow, the owner can set the balance of any user to any value, effectively creating tokens out of thin air. This can lead to total loss of token value, manipulation of supply, and potential theft from other users if the inflated balance is used to transfer tokens.

Mitigation

No official fix has been published for this specific contract. The vulnerability is inherent in the code as deployed. Developers should use SafeMath libraries to prevent integer overflows [1]. Users should avoid interacting with the YAMBYO token until a patched version is released.