CVE-2018-13680

Vulnerability

The mintToken function in the LexitToken smart contract (an Ethereum token) contains an integer overflow vulnerability [1][2]. The function does not use a safe arithmetic library (e.g., SafeMath), allowing the owner to mint an arbitrary number of tokens. When the mintedAmount exceeds the maximum value of a uint256, the total supply and user balances can be set to any value due to the overflow. All versions of the LexitToken contract are affected [2].

Exploitation

An attacker who is the contract owner can call mintToken with a large mintedAmount value that causes an integer overflow. By carefully choosing the overflow result, the owner can set the balance of any target address to any desired value (including zero or a very large number) [1]. No additional privileges or user interaction are required beyond contract ownership.

Impact

A successful exploit allows the contract owner to arbitrarily manipulate the token balances of any user. This can lead to theft of tokens (by setting a victim's balance to zero) or inflation of the owner's own balance, effectively draining the contract's value. The integrity of the token's supply and user holdings is completely compromised [1][2].

Mitigation

No official fix has been published for LexitToken. Developers should replace all arithmetic operations with SafeMath functions (e.g., add, sub) to prevent integer overflows. As of the publication date (2018-07-09), the contract remains vulnerable and no workaround exists for deployed instances [1][2].