CVE-2018-13737

Vulnerability

The AnovaBace Ethereum token contract, as referenced in the EtherTokens repository [1], [2], contains an integer overflow vulnerability in the mintToken function. When an owner calls mintToken with a large mintedAmount, the unchecked arithmetic can overflow, allowing the owner to set the balance of an arbitrary user to any value. The vulnerable contract is associated with the AnovaBace token, and the issue is identical to that described in the GEMCHAIN mint integer overflow example [1]. No specific version string is provided; however, the contract is one of many tokens in the EtherTokens set [2].

Exploitation

An attacker who is the owner of the contract (i.e., the address that deploys or controls the contract) can exploit the integer overflow by calling mintToken with a crafted mintedAmount that causes the arithmetic to overflow. The overflow results in the victim's balance being set to an attacker-controlled value, typically zero or a large arbitrary number. No special network position or additional authentication is required beyond being the contract owner. The sequence of steps is: (1) the owner deploys the vulnerable contract, (2) calls mintToken with an overflow-inducing amount for a chosen address, and (3) the target balance is overwritten.

Impact

A successful exploitation enables the contract owner to arbitrarily assign any token balance to any user address. This can lead to severe token supply manipulation, including inflating the total supply or zeroing out specific accounts. The impact is primarily integrity and availability: the token's accounting is corrupted, rendering the token trustless and useless for legitimate purposes. There is no direct confidentiality impact, but the token contract is effectively compromised.

Mitigation

As of publication (July 9, 2018), no official patched version of the AnovaBace contract has been identified in the available references [1], [2]. The vulnerability originates from the absence of overflow checks in the mintToken function. Developers should use SafeMath or similar libraries for arithmetic operations to prevent integer overflows. Users of the AnovaBace token are advised to treat the contract as untrustworthy. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.