Execution Failure Vulnerability in Ethereum's Py-EVM Product
CVE-2018-18920

8.8HIGH

Key Information:

Vendor

Ethereum

Status
Py-evm
Vendor
CVE Published:
12 November 2018

What is CVE-2018-18920?

The Py-EVM version v0.2.0-alpha.33 is susceptible to a vulnerability that enables malicious actors to invoke the vm.execute_bytecode call improperly. This flaw allows attackers to manipulate the virtual machine's stack with incorrect values, namely using '[100, 100, 0]' when a different byte sequence was expected. The improper handling of these inputs results in an execution failure due to an invalid opcode. Additionally, this vulnerability raises concerns regarding the execution of smart contracts, potentially allowing operations to run indefinitely without the necessary gas fees.

References

https://twitter.com/AlexanderFisher/status/10609234286418...
x_refsource_MISC
https://github.com/ethereum/py-evm/issues/1448
x_refsource_MISC
https://twitter.com/NettaLab/status/1060889400102383617
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.