CVE-2024-45056

Name of the Vulnerable Software and Affected Versions zksolc versions prior to 1.5.3

Description The issue arises from the compilation process of zksolc, a Solidity compiler for ZKsync, where all LLVM versions since 2015 incorrectly optimize the expression (xor (shl 1, x), -1) to (rotl ~1, x) when run with optimizations enabled. Here, ~1 is generated as an unsigned 64-bit number (2^64-1), which is then zero-extended to 256 bits on the EraVM target instead of being sign-extended. This results in the compiler producing rotl 2^64 - 1, x instead of the expected roti 2^256 - 1, x. Analysis has shown that no contracts were affected by the date of publishing this advisory.

Recommendations For versions prior to 1.5.3, upgrade to version 1.5.3 or later and redeploy all contracts to resolve the issue. As a temporary workaround, consider disabling optimizations in the compiler until a patch is available. However, it is noted that there are no known workarounds for this vulnerability, making an upgrade to a fixed version the only resolution.