CVE-2018-13764

Vulnerability

The mintToken function in the BiquToken smart contract (an Ethereum ERC-20 token) contains an integer overflow vulnerability [1][2]. The function performs arithmetic on totalSupply and balances[target] without using SafeMath or overflow checks, allowing the owner to set the balance of any user to an arbitrary value. The affected contract is the BiquToken implementation as found in the referenced repository [2].

Exploitation

The attacker must be the contract owner (the address that deployed the contract). The owner calls mintToken with a mintedAmount value that, when added to the current totalSupply or balances[target], causes an integer overflow. This results in the target's balance being set to a controlled value (e.g., a very large number) [1]. No user interaction is required; the owner can execute the function directly.

Impact

A successful exploitation allows the contract owner to arbitrarily increase the token balance of any address, including their own. This can lead to total loss of token value, as the owner can mint an unlimited number of tokens, effectively destroying the token's scarcity and economic model. The integrity of the token supply is compromised.

Mitigation

As of the publication date (2018-07-09), no official patch or fixed version has been released for BiquToken. The vulnerability is inherent in the contract code. Developers should use SafeMath library (e.g., OpenZeppelin's) to prevent integer overflows. The contract may be considered at risk; users should avoid interacting with this token. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.