Home > Vulnerability Database > CVE-2024-43366

Mend.io Vulnerability Database

CVE-2024-43366

Good to know:

Date: August 15, 2024

zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no Turing-incompletness restrictions, it is compiled to a loop with a much more late exit condition. It leads to a loss of funds or other unwanted behavior if the loop body contains it. However, more real-life use cases like iterating over an array are not affected. No contracts were affected by this issue, which was fixed in version 1.5.3. Upgrading and redeploying affected contracts is the only way to avoid the vulnerability.

Language: RUST

Severity Score

7.5

Related Resources (3)

Url: https://github.com/matter-labs/era-compiler-vyper/security/advisories/GHSA-8j77-7rrv-6pxx

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-43366

Url: https://www.mend.io/vulnerability-database/CVE-2024-43366

Severity Score

7.5

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

Top Fix

Upgrade Version

Upgrade to version 1.5.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-43366

Good to know:

Date: August 15, 2024

Language: RUST

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?