CVE-2024-35229

Name of the Vulnerable Software and Affected Versions ZKsync Era versions prior to 1.3.10

Description ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. A bug in the evaluation order of Yul function arguments is exposed by a specific pattern f(a(),b()); check if a executed last() in Yul. This issue has been fixed in version 1.3.10.

Recommendations For versions prior to 1.3.10, update and redeploy affected contracts to resolve the issue. As a temporary workaround, consider avoiding the use of the specific pattern f(a(),b()); check if a executed last() in Yul until the update is applied.