CVE-2024-45056 – A compiler optimization bug in zksolc (Solidity... (How to Fix)

Q: What is the severity of CVE-2024-45056?

CVE-2024-45056 has a CVSS score of 5.9 (MEDIUM). A compiler optimization bug in zksolc (Solidity compiler for ZKsync) incorrectly handles bitwise rotation operations, producing wrong machine code. This could cause smart contracts to execute incorrectly, potentially leading to unexpected behavior or security issues. Only affects developers who compiled contracts with vulnerable zksolc versions.

📋 TL;DR

A compiler optimization bug in zksolc (Solidity compiler for ZKsync) incorrectly handles bitwise rotation operations, producing wrong machine code. This could cause smart contracts to execute incorrectly, potentially leading to unexpected behavior or security issues. Only affects developers who compiled contracts with vulnerable zksolc versions.

💻 Affected Systems

Products:

zksolc (Solidity compiler for ZKsync)

Versions: All versions before 1.5.3

Operating Systems: All platforms running zksolc

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects compilation with optimizations enabled (default). Requires LLVM versions since 2015.

📦 What is this software?

Zksolc by Matter Labs

View all CVEs affecting Zksolc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Smart contracts execute with incorrect logic, potentially allowing unauthorized actions, fund loss, or contract state corruption.

🟠

Likely Case

Contracts may behave unpredictably or fail during execution, but analysis shows no contracts were actually affected before patching.

🟢

If Mitigated

If contracts were compiled with vulnerable compiler but not deployed, or if redeployed after patching, no impact occurs.

🌐 Internet-Facing: LOW - This is a compiler bug affecting contract development, not a runtime vulnerability in deployed contracts.

🏢 Internal Only: MEDIUM - Development environments using vulnerable zksolc versions could produce flawed contracts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires understanding of specific bitwise operations and compiler output. No known exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.3

Vendor Advisory: https://github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-fpx7-8vc6-frjj

Restart Required: No

Instructions:

1. Upgrade zksolc to version 1.5.3 or later. 2. Recompile all Solidity contracts with the patched compiler. 3. Redeploy any contracts compiled with vulnerable versions.

🔧 Temporary Workarounds

Disable compiler optimizations

all

Compile contracts without optimization flags to avoid the bug

zksolc --no-optimize contract.sol

🧯 If You Can't Patch

Avoid using bitwise rotation operations in Solidity contracts
Audit contracts compiled with vulnerable versions for incorrect behavior

🔍 How to Verify

Check if Vulnerable:

Check zksolc version with 'zksolc --version'. If version is earlier than 1.5.3, you are vulnerable.

Check Version:

zksolc --version

Verify Fix Applied:

After upgrading, verify version is 1.5.3 or later and recompile contracts.

📡 Detection & Monitoring

Log Indicators:

Compiler warnings about optimization issues
Contract execution failures involving bitwise operations

Network Indicators:

None - this is a compile-time issue

SIEM Query:

Not applicable for compile-time vulnerabilities

📊 Metadata

CVE ID: CVE-2024-45056

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-682

Published: August 29, 2024

Last Updated: September 3, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45056, you might also want to check these: