CVE-2018-13719

Vulnerability

The mintToken function in the BiteduToken smart contract (an Ethereum token) contains an integer overflow vulnerability. The contract implementation, as seen in the repository at [2], allows the owner to mint new tokens for any address without proper overflow checks, enabling the owner to set the balance of an arbitrary user to any value [1]. The affected versions are all deployments of the BiteduToken contract as found in the BiteduToken folder of the EtherTokens repository [2].

Exploitation

An attacker who is the owner of the BiteduToken contract can exploit this vulnerability by calling the mintToken function with a large mintedAmount parameter. The integer overflow occurs in the arithmetic operation that updates the target user's balance, bypassing standard Ethereum token balance constraints. No special network position or user interaction is required; the owner simply invokes the function with crafted input to overflow the balance variable and set any arbitrary value [1].

Impact

A successful exploit allows the contract owner to arbitrarily set the balance of any user to any value, including extremely large or negative (wrapping) values. This effectively compromises the integrity of the token's supply and user balances, enabling the owner to inflate balances at will, potentially leading to financial loss for token holders and loss of trust in the token [1].

Mitigation

No official fix or patched version has been disclosed in the available references. The contract as published in the repository at [2] remains vulnerable. Users and token holders should consider the contract as unpatched and exercise caution; deploying a corrected version with safe arithmetic (e.g., using OpenZeppelin's SafeMath library) would mitigate the overflow. The CVE is not listed in KEV at publication time.