Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in mintTokens #1

Closed
whiteHat001 opened this Issue Jul 17, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@whiteHat001
Copy link

whiteHat001 commented Jul 17, 2018

Hello,
I have found an integer overflow in mintTokens,the supply variable could overflow,because of the _amount variable is controlled by us and can eventually cause supply overflow to zero.

  function mintTokens(address _to, uint256 _amount) {         
    if (msg.sender != icoContractAddress) throw;            // Only ICO address can mint tokens        
    if (restrictedAddresses[_to]) throw;                    // Throw if user wants to send to restricted address       
    if (balances[_to] + _amount < balances[_to]) throw;     // Check for overflows
    supply += _amount;                                      // Update total supply
    balances[_to] += _amount;                               // Set minted coins to target
    Mint(_to, _amount);                                     // Create Mint event       
    Transfer(0x0, _to, _amount);                            // Create Transfer event from 0x
  } 

Discovered by zhihua.yao@dbappsecurity.com.cn(hackyzh)

@whiteHat001

This comment has been minimized.

Copy link
Author

whiteHat001 commented Jul 20, 2018

Any update? @lukapusic

@NieDzejkob

This comment has been minimized.

Copy link

NieDzejkob commented Aug 1, 2018

Correct me if I'm wrong, but AFAICS the first line of this function will prevent unauthorized use, effectively mitigating the vulnerability.

@ghost

This comment has been minimized.

Copy link

ghost commented Aug 1, 2018

@NieDzejkob correct, the first line makes sure that only the ICO contract can mint tokens. Since ICO contract cannot mint tokens because the ICO has ended, this does not pose a problem. There are safeguards in the ICO contract which prevent it from minting new tokens.

@whiteHat001

This comment has been minimized.

Copy link
Author

whiteHat001 commented Aug 2, 2018

Yes,you are correct.I don't notice the first line.

@whiteHat001 whiteHat001 closed this Aug 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.