Vulnerability Description
Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ethereum | Py-Evm | 0.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/ethereum/py-evm/issues/1448ExploitThird Party Advisory
- https://twitter.com/AlexanderFisher/status/1060923428641878019Third Party Advisory
- https://twitter.com/NettaLab/status/1060889400102383617Third Party Advisory
- https://www.reddit.com/r/ethereum/comments/9vkk2g/netta_labs_claim_to_have_foundThird Party Advisory
- https://github.com/ethereum/py-evm/issues/1448ExploitThird Party Advisory
- https://twitter.com/AlexanderFisher/status/1060923428641878019Third Party Advisory
- https://twitter.com/NettaLab/status/1060889400102383617Third Party Advisory
- https://www.reddit.com/r/ethereum/comments/9vkk2g/netta_labs_claim_to_have_foundThird Party Advisory
FAQ
What is CVE-2018-18920?
CVE-2018-18920 is a vulnerability with a CVSS score of 8.8 (HIGH). Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution fai...
How severe is CVE-2018-18920?
CVE-2018-18920 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-18920?
Check the references section above for vendor advisories and patch information. Affected products include: Ethereum Py-Evm.