CVE-2018-13755

Vulnerability

The mintToken function in the OTAKUToken smart contract (Ethereum) contains an integer overflow vulnerability. The function allows the contract owner to mint tokens to any address without proper overflow checks. The affected contract is the OTAKUToken implementation as found in the EtherTokens repository [2]. The vulnerability is similar to the GEMCHAIN example [1] where the mint function lacks safe arithmetic.

Exploitation

An attacker who is the contract owner can call mintToken with a large mintedAmount value that causes an integer overflow in the total supply or balance calculation. This allows the owner to set the balance of any arbitrary user to any value, including extremely large numbers.

Impact

The owner can arbitrarily inflate the token supply and assign any balance to any address, effectively breaking the token's scarcity and value. This can lead to complete loss of trust and financial loss for token holders.

Mitigation

No official fix has been disclosed in the available references. The contract should use SafeMath library or require checks to prevent overflow. As of the publication date (2018-07-09), no patched version is known.