CVE-2018-13159 in bankcoin
Summary
by MITRE
The mintToken function of a smart contract implementation for bankcoin (BNK), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/25/2020
The vulnerability identified as CVE-2018-13159 resides within the mintToken function of the bankcoin (BNK) smart contract deployed on the Ethereum blockchain. This critical flaw represents a classic integer overflow vulnerability that fundamentally compromises the contract's integrity and security model. The vulnerability allows the contract owner to manipulate token balances in ways that violate the fundamental assumptions of blockchain token economics and smart contract security.
The technical implementation of this vulnerability stems from improper input validation and arithmetic operations within the mintToken function. When the contract owner invokes this function, they can specify arbitrary values for token minting operations without proper overflow checks. This creates a condition where the balance calculation can exceed the maximum value that can be stored in the underlying data type, leading to unexpected behavior where large values wrap around to smaller numbers or zero. The vulnerability directly maps to CWE-190, which specifically addresses integer overflow conditions, and represents a critical weakness in the contract's mathematical operations.
The operational impact of this vulnerability is severe and far-reaching for the bankcoin ecosystem. An attacker with owner privileges can arbitrarily manipulate user balances to any desired value, potentially including setting balances to infinite amounts or negative values. This capability enables the contract owner to drain funds from other users, create artificial wealth distribution, or completely subvert the token's economic model. The vulnerability essentially grants the owner unlimited control over the token supply and user accounts, undermining the trustless nature that blockchain technology aims to provide.
From a cybersecurity perspective, this vulnerability represents a significant risk to the entire token ecosystem and demonstrates the critical importance of proper smart contract auditing and security testing. The issue aligns with ATT&CK technique T1059.001, which involves executing malicious code through command-line interfaces, as the vulnerability allows for arbitrary execution of balance manipulation operations. The vulnerability also relates to T1499.004, which covers data manipulation attacks, since it enables unauthorized modification of critical data structures within the contract. Organizations and users should immediately implement mitigations including contract upgrades, balance verification mechanisms, and comprehensive security audits before any further token operations are conducted.
The remediation approach requires immediate implementation of proper integer overflow protection mechanisms including explicit bounds checking, use of secure arithmetic libraries, and comprehensive input validation for all balance manipulation functions. Additionally, the contract should implement proper access control measures and consider using established token standards like ERC-20 with verified implementations that include built-in overflow protection mechanisms. Regular security audits and formal verification techniques should become standard practice for all smart contract deployments to prevent similar vulnerabilities from compromising blockchain-based financial systems.