CVE-2018-13754

Vulnerability

The mintToken function in the CryptosisToken smart contract (an Ethereum token) contains an integer overflow vulnerability. The function does not use SafeMath or perform overflow checks, allowing the contract owner to pass a large mintedAmount value that overflows the totalSupply and the recipient's balance. This affects all versions of the CryptosisToken contract as found in the referenced repository [1].

Exploitation

An attacker must be the contract owner (the account that deployed the contract). The owner can call mintToken with an extremely large mintedAmount parameter, causing an integer overflow in the arithmetic operations that update totalSupply and the target address's balance. No user interaction or additional privileges are required beyond ownership [2].

Impact

By exploiting the overflow, the owner can set the balance of any arbitrary user to any desired value, including zero or an inflated amount. This can lead to theft of tokens from other holders, artificial inflation of the token supply, and complete loss of trust in the token's integrity. The owner gains full control over all token balances [1][2].

Mitigation

As of the publication date (2018-07-09), no patched version of CryptosisToken has been released. The vulnerability is inherent in the contract's code. The recommended mitigation is to use the SafeMath library for all arithmetic operations and to restrict the mintToken function to only mint tokens to the owner's own address or to implement proper access controls. Users should avoid interacting with this contract until a fix is deployed [1][2].