Lucene search

GoogleOSV:CVE-2024-35229

HistoryMay 27, 2024 - 5:15 p.m.

CVE-2024-35229

2024-05-2717:15:09

Google

osv.dev

zksync era

layer 2 rollup

cve-2024-35229

zero-knowledge proofs

ethereum

yul

vulnerability

evaluation order

update

redeploy

affected contracts

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to version 1.3.10, there is a very specific pattern f(a(),b()); check_if_a_executed_last() in Yul that exposes a bug in evaluation order of Yul function arguments. This vulnerability has been fixed in version 1.3.10. As a workaround, update and redeploy affected contracts.

References

github.com/matter-labs/era-compiler-solidity/commit/46ce047b51576495779b9f67534207d8154eab79

github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-jf9w-7f5g-j95p

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for OSV:CVE-2024-35229