CVE-2023-46232
CVE-2023-46232 is a medium-severity vulnerability in Matter-labs Zkvyper with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-471.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 1% (43rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-471
- Affected product: Matter-labs Zkvyper
- Published:
- Last modified:
Description
era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The problem arises when there is a String or Array with more 256-bit words allocated than initialized. It results in the second word’s index unset, that is effectively set to 0, so the first immutable value with the actual 0 index is overwritten in the ImmutableSimulator. Version 1.3.10 fixes this issue by setting all indexes in advance. The problem will go away, but it will get more expensive if the user allocates a lot of uninitialized space, e.g. `String[4096]`. Upgrading and redeploying affected contracts is the only way of working around the issue.
Frequently asked questions
- What is CVE-2023-46232?
- era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The problem arises when there is a String or Array with more 256-bit words allocated than initialized. It results in the second word’s index unset, that is effectively set to 0, so the first immutable value with the actual 0 index is overwritten in the ImmutableSimulator. Version 1.3.10 fixes this issue by setting all indexes in advance. The problem will go away, but it will get more expensive if the user allocates a lot of uninitialized space, e.g. `String[4096]`. Upgrading and redeploying affected contracts is the only way of working around the issue.
- How severe is CVE-2023-46232?
- CVE-2023-46232 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2023-46232 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-46232?
- CVE-2023-46232 affects Matter-labs Zkvyper. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-46232?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-46232 published?
- CVE-2023-46232 was published on 2023-10-25 and last updated on 2026-06-17.
References
- https://github.com/matter-labs/era-compiler-vyper/commit/8be305a1b9c68d0fd47dad3434224ed85944ca25
- https://github.com/matter-labs/era-compiler-vyper/security/advisories/GHSA-h8jv-969m-94r4
- https://github.com/matter-labs/era-system-contracts/blob/main/contracts/ImmutableSimulator.sol#L37
Affected products (1)
- cpe:2.3:a:matter-labs:zkvyper:*:*:*:*:*:*:*:*
More vulnerabilities in Matter-labs Zkvyper
- CVE-2024-43366 — High (CVSS 7.5): zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to version 1.5.3, since LLL IR has no…
All CVEs affecting Matter-labs Zkvyper →
Other CWE-471 vulnerabilities
- CVE-2022-25893 — Critical (CVSS 9.8): The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the…
- CVE-2018-3722 — High (CVSS 8.8): merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which…
- CVE-2018-3720 — High (CVSS 8.8): assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which…
- CVE-2018-3728 — High (CVSS 8.8): hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID)…
- CVE-2024-55551 — High (CVSS 8.3): An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters…
- CVE-2024-9876 — High (CVSS 7.3): : Modification of Assumed-Immutable Data (MAID) vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects…