CVE-2018-13730

Vulnerability

The mintToken function in the HEY Ethereum token smart contract [2] contains an integer overflow vulnerability. This allows the contract owner to set the balance of any arbitrary user to any value without proper validation. The issue is present in the HEY token implementation as described in the reference [1].

Exploitation

An attacker who is the contract owner can exploit this by calling the mintToken function with carefully crafted input values that cause an integer overflow, thereby setting the target user's balance to an arbitrary number. No special privileges beyond contract ownership are required.

Impact

Successful exploitation allows the owner to arbitrarily increase or decrease any user's token balance, leading to potential theft of funds or inflation of token supply. This compromises the integrity of the token and can cause financial loss for other holders.

Mitigation

As of the provided references, no fix or patched version has been disclosed for the HEY token. Developers should avoid using contracts with unprotected arithmetic operations and implement SafeMath functions to prevent integer overflows. Users should verify the contract code before interacting with it.