CVE-2024-43366 – This vulnerability in zkvyper (a Vyper compiler... (How to Fix)

Q: What is the severity of CVE-2024-43366?

CVE-2024-43366 has a CVSS score of 7.5 (HIGH). This vulnerability in zkvyper (a Vyper compiler for zkSync Era) allows infinite loops in compiled smart contracts due to improper loop exit condition handling in LLL IR. It affects developers using zkvyper versions 1.3.12 through 1.5.2 to compile contracts, potentially leading to loss of funds or unexpected contract behavior.

📋 TL;DR

This vulnerability in zkvyper (a Vyper compiler for zkSync Era) allows infinite loops in compiled smart contracts due to improper loop exit condition handling in LLL IR. It affects developers using zkvyper versions 1.3.12 through 1.5.2 to compile contracts, potentially leading to loss of funds or unexpected contract behavior.

💻 Affected Systems

Products:

zkvyper (Vyper compiler for zkSync Era)

Versions: 1.3.12 through 1.5.2

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects contracts compiled with vulnerable versions. No deployed contracts were known to be affected at advisory publication.

📦 What is this software?

Zkvyper by Matter Labs

View all CVEs affecting Zkvyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of funds in affected smart contracts through infinite loops that prevent proper execution or allow malicious exploitation of contract logic.

🟠

Likely Case

Contract deployment failures or unexpected gas consumption due to infinite loops during execution, potentially causing financial losses for contract users.

🟢

If Mitigated

No impact if contracts are compiled with patched version or if contracts don't use affected loop patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires creating or modifying contracts to trigger the vulnerable loop patterns. No known in-the-wild exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.3

Vendor Advisory: https://github.com/matter-labs/era-compiler-vyper/security/advisories/GHSA-8j77-7rrv-6pxx

Restart Required: No

Instructions:

1. Update zkvyper to version 1.5.3 or later using package manager. 2. Recompile all affected contracts with the updated compiler. 3. Redeploy recompiled contracts to replace vulnerable deployments.

🔧 Temporary Workarounds

Avoid vulnerable loop patterns

all

Manually review and avoid loop patterns that could trigger the infinite loop condition during contract development.

🧯 If You Can't Patch

Audit all contracts compiled with vulnerable versions for infinite loop patterns
Implement circuit breakers or emergency stop mechanisms in deployed contracts

🔍 How to Verify

Check if Vulnerable:

Check zkvyper version with 'zkvyper --version' and verify if between 1.3.12 and 1.5.2

Check Version:

zkvyper --version

Verify Fix Applied:

Verify zkvyper version is 1.5.3 or higher and recompile contracts

📡 Detection & Monitoring

Log Indicators:

Excessive gas consumption in contract execution
Contract deployment failures with loop-related errors

Network Indicators:

Unusually high gas fees for simple contract operations
Failed contract transactions with out-of-gas errors

SIEM Query:

Not applicable - this is a development/compiler issue

📊 Metadata

CVE ID: CVE-2024-43366

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-835

Published: August 15, 2024

Last Updated: September 27, 2024

🔗 References

https://github.com/matter-labs/era-compiler-vyper/security/advisories/GHSA-8j77-7rrv-6pxx Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43366, you might also want to check these: