CVE-2018-13693

Vulnerability

The mintToken function in the GreenEnergyToken Ethereum smart contract [2] contains an integer overflow vulnerability. The contract, deployed as an ERC-20 token, allows the contract owner to mint new tokens. The function does not properly check for arithmetic overflow when updating a user's balance, enabling the owner to set the balance of an arbitrary user to any value. The issue is demonstrated in a related analysis of a similar contract pattern [1].

Exploitation

An attacker who is the contract owner (or gains control of the owner account) can exploit this by calling mintToken with a crafted mintedAmount value that, when added to the target user's current balance, causes an integer overflow. This allows the owner to arbitrarily increase or set the balance of any user address without restriction.

Impact

Successful exploitation allows the contract owner to arbitrarily manipulate the token balance of any address, effectively minting unlimited tokens. This can lead to total loss of token value, price manipulation on exchanges, and financial harm to other token holders. The attacker gains full control over token supply distribution.

Mitigation

As of the publication date (2018-07-09), no patched version of the GreenEnergyToken contract has been released. The vulnerability is inherent in the smart contract code and can only be fixed by deploying a corrected contract. Users are advised to avoid trusting tokens using this contract code and consider the token's value as compromised. The issue is part of a known class of integer overflow vulnerabilities in Ethereum tokens [1].