CVE-2023-46232

Name of the Vulnerable Software and Affected Versions era-compiler-vyper versions prior to 1.3.10

Description The issue arises in the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. A bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. This occurs when there is a String or Array with more 256-bit words allocated than initialized, resulting in the second word's index being unset, effectively set to 0. This causes the first immutable value with the actual 0 index to be overwritten in the ImmutableSimulator. The problem is resolved in version 1.3.10, which sets all indexes in advance. However, this fix may increase expenses if the user allocates a lot of uninitialized space.

Recommendations For versions prior to 1.3.10, upgrade to version 1.3.10 and redeploy affected contracts to resolve the issue. As a temporary workaround, consider avoiding the allocation of large uninitialized spaces, such as String[4096], to minimize the risk of exploitation.