CVE-2024-43366 HIGH

CVE-2024-43366: zkvyper ignored loop range bounds

Vendor Matter-Labs

Product era-compiler-vyper

Weakness CWE-835

Published August 15, 2024

Last update August 16, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However, more real-life use cases like iterating over an array are not affected. No contracts were affected by this issue, which was fixed in version 1.5.3. Upgrading and redeploying affected contracts is the only way to avoid the vulnerability.

Key dates

02Disclosure timeline

August 15, 2024 CVE published

August 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-43366 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/835.html

Related vulnerabilities

CVE-2024-43366: zkvyper ignored loop range bounds

01Description

02Disclosure timeline

03References

04Related CVE