CVE-2022-29219

Name of the Vulnerable Software and Affected Versions Lodestar versions prior to 0.36.0

Description The issue is related to the representation of uint64 values as native JavaScript numbers in Lodestar, a TypeScript implementation of the Ethereum Consensus specification. When uint64 values greater than 2^53 are included on-chain, Lodestar may view valid AttesterSlashing or ProposerSlashing as invalid due to rounding errors in large number values, causing a consensus split. Similarly, Lodestar may consider invalid ProposerSlashing as valid, including them in proposed blocks that will be considered invalid by the network.

Recommendations As a temporary workaround, consider using BigInt to represent Slot and Epoch values in AttesterSlashing and ProposerSlashing objects, carefully using BigInt just where necessary for consensus. For versions prior to 0.36.0, update to version 0.36.0 to resolve the issue.