CVE-2018-13736

Vulnerability

The mintToken function in the ELearningCoinERC (an Ethereum token) smart contract contains an integer overflow vulnerability. This allows the contract owner to set the balance of any user to any arbitrary value. The affected contract is the ELearningCoinERC implementation at the referenced repository [2]. Versions present in that repository are vulnerable.

Exploitation

An attacker must be the owner of the contract (the address that deployed it). No other authentication or user interaction is required. The owner can call mintToken with a large value that causes an integer overflow, leading to an unintended balance assignment. The exact sequence involves calling mintToken with a target address and an extremely large mintedAmount parameter that overflows the arithmetic [1].

Impact

A successful exploit allows the owner to arbitrarily increase or decrease the balance of any user address. This can result in total loss of token value, theft of funds, or manipulation of token economics. The owner can effectively mint unlimited tokens or drain user balances.

Mitigation

No fix has been disclosed in the available references. Users of ELearningCoinERC should consider the token compromised and discontinue use. No patched version or workaround has been published. The contract is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.