CVE-2018-13741

Vulnerability

The mintToken function in the ABLGenesisToken smart contract (Ethereum) contains an integer overflow vulnerability. This allows the contract owner to set the balance of any user to an arbitrary value by invoking mintToken with specially crafted inputs. The contract code is available in the EtherTokens repository [1][2], and the vulnerability is present in all versions of ABLGenesisToken.

Exploitation

To exploit this vulnerability, an attacker must be the contract owner. By calling mintToken with parameters that cause an integer overflow, the owner can manipulate the arithmetic to set the balance of any chosen address to any desired value.

Impact

A successful exploit enables the owner to arbitrarily inflate or deflate token balances. This undermines the token's scarcity and value, potentially leading to financial losses for legitimate holders and loss of trust in the token.

Mitigation

No official fix has been released for ABLGenesisToken. Developers and users should avoid using this contract. Token contracts should implement the SafeMath library to prevent integer overflow. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.