CVE-2024-43366
Last modified
CVE-2024-43366 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. EPSS estimates a 0.51% chance of exploitation in the next 30 days.
Description
zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However, more real-life use cases like iterating over an array are not affected. No contracts were affected by this issue, which was fixed in version 1.5.3. Upgrading and redeploying affected contracts is the only way to avoid the vulnerability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Matter-Labs | Zkvyper | >= 1.3.12, < 1.5.3 |
References
- https://github.com/matter-labs/era-compiler-vyper/security/advisories/GHSA-8j77-7rrv-6pxxExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-43366?
How severe is CVE-2024-43366?
How do I fix CVE-2024-43366?
Are you affected by CVE-2024-43366?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST