CVE-2018-12079 in Substratum
Summary
by MITRE
The mintToken function of a smart contract implementation for Substratum (SUB), a tradable Ethereum ERC20 token, has no period constraint, which allows the owner to increase the total supply of the digital assets arbitrarily so as to make profits, aka the "tradeTrap" issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/21/2020
The vulnerability identified as CVE-2018-12079 resides within the Substratum (SUB) ERC20 token smart contract implementation, representing a critical flaw in the token's supply management mechanism. This issue stems from the mintToken function lacking proper period constraints that would normally govern when and how new tokens can be created. The absence of such temporal limitations creates an exploitable condition where the contract owner maintains unchecked authority to arbitrarily increase the total token supply without any regulatory controls or time-based restrictions that would typically be expected in legitimate tokenomics.
The technical flaw manifests as a complete lack of governance controls within the mintToken function, allowing the designated owner account to generate unlimited additional tokens at will. This design flaw directly violates fundamental principles of cryptocurrency economics and tokenomics where supply constraints are essential for maintaining value proposition and market stability. The vulnerability operates under CWE-362 which classifies it as a Concurrent Execution using Shared Resource with Unprotected Critical Section, though in this case the shared resource is the token supply itself rather than traditional concurrent resources. The lack of time-based restrictions or approval mechanisms means that any malicious actor with access to the owner account can instantly inflate the token supply, effectively diluting the holdings of all other token holders through inflationary attacks.
The operational impact of this vulnerability extends far beyond simple supply inflation, creating what security researchers have termed the "tradeTrap" issue. When the owner can arbitrarily mint new tokens, they can manipulate the market dynamics to their advantage, potentially creating artificial scarcity or abundance depending on their trading strategy. This capability allows for manipulation of token value and market perception, making the entire token ecosystem vulnerable to exploitation. The vulnerability essentially provides the owner with a mechanism to profit at the expense of other participants, creating an inherent conflict of interest within the token's governance structure. The impact is particularly severe because it undermines the fundamental trust that users place in the token's supply mechanism and economic model.
Mitigation strategies for this vulnerability require immediate implementation of time-based constraints or approval mechanisms within the mintToken function. The most effective approach involves introducing a minimum time interval between minting operations, typically measured in days or weeks, to prevent instantaneous supply manipulation. Additionally, implementing multi-signature approval requirements for supply increases would distribute control and prevent single-point failures. Security practitioners should also consider implementing supply caps or maximum supply limits that cannot be exceeded through minting operations. The solution must align with industry standards such as those recommended by the Ethereum Improvement Proposal (EIP) community and should follow the principles outlined in the ATT&CK framework for smart contract security, specifically focusing on the privilege escalation and resource exhaustion categories. Regular security audits and formal verification of smart contract code become essential practices to prevent similar vulnerabilities from being introduced in future implementations.