Lucene search

[email protected]CVE-2024-35229

HistoryMay 27, 2024 - 5:15 p.m.

CVE-2024-35229

2024-05-2717:15:09

CWE-696

[email protected]

web.nvd.nist.gov

zksync era

layer 2 rollup

zero-knowledge proofs

ethereum

yul

vulnerability

evaluation order fix

version 1.3.10

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to version 1.3.10, there is a very specific pattern f(a(),b()); check_if_a_executed_last() in Yul that exposes a bug in evaluation order of Yul function arguments. This vulnerability has been fixed in version 1.3.10. As a workaround, update and redeploy affected contracts.

Affected configurations

Vulners

Node

matter-labszkvyperRange<1.3.10

CNA Affected

[
  {
    "vendor": "matter-labs",
    "product": "era-compiler-solidity",
    "versions": [
      {
        "version": "< 1.3.10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/matter-labs/era-compiler-solidity/commit/46ce047b51576495779b9f67534207d8154eab79

github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-jf9w-7f5g-j95p

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2024-35229

nvd1 cvelist1 osv1