CVE-2018-13749

Vulnerability

The mintToken function in the FinalToken smart contract (an Ethereum token) contains an integer overflow vulnerability [1][2]. The function performs arithmetic on the total supply and user balance without using SafeMath or overflow checks, allowing the owner to mint an arbitrary amount of tokens. Affected versions: all deployments of FinalToken as per the repository [2].

Exploitation

The attacker must be the contract owner (the address that deployed the contract). The owner calls mintToken with a target address and a large mintedAmount value that causes an integer overflow when added to the total supply or the user's balance. No user interaction or special network position is required beyond being the owner.

Impact

By exploiting the overflow, the owner can set the balance of any user to any value, effectively creating tokens out of thin air. This can lead to total loss of token value, as the supply can be inflated arbitrarily. The impact is a complete compromise of the token's integrity and economic model.

Mitigation

No official fix has been published for FinalToken. The vulnerability is inherent in the contract code. Developers should use SafeMath library for arithmetic operations to prevent overflows. As of the publication date (2018-07-09), no patched version exists. The contract may be considered deprecated or at risk.