Name of the Vulnerable Software and Affected Versions Ethereum ABI decoder (affected versions not specified)

Description A potential denial-of-service (DoS) vector exists in the Ethereum ABI decoder due to the specification allowing zero-sized-types (ZST). This can cause excessive resource consumption when parsing a malicious payload and schema. The issue arises when a parser expects an array of ZST, attempting to parse as many ZST as the byte array claims to contain, potentially leading to a DoS. The Ethereum ABI specification could have disallowed ZST completely, but it is still allowed, even though the latest versions of Solidity and Vyper do not permit defining ZST like empty tuples or empty arrays.

Recommendations As a temporary workaround, consider disabling the parsing of zero-sized-types (ZST) in the Ethereum ABI decoder until a patch is available. Restrict access to the vulnerable decode function in the eth abi library to minimize the risk of exploitation. Avoid using the decode function with schemata that include dynamic arrays of ZST, such as ()[] or uint32[0][], until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.