PT-2018-14720 · Python · Py-Evm

Renardbebe

·

Published

2018-11-12

·

Updated

2019-02-04

·

CVE-2018-18920

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Py-EVM version 0.2.0-alpha.33
Description The issue allows attackers to make a vm.execute bytecode call that triggers computation with a stack containing values like 100, 100, 0 where a specific byte b'x' was expected, resulting in an execution failure due to an invalid opcode. This is related to the execution of smart contracts without paying gas, potentially allowing them to run indefinitely.
Recommendations For Py-EVM version 0.2.0-alpha.33, as a temporary workaround, consider restricting the vm.execute bytecode call to prevent the execution of smart contracts with invalid opcodes until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

CVE-2018-18920
GHSA-VQGP-4JGJ-5J64
PYSEC-2018-155
PYSEC-2018-96

Affected Products

Py-Evm