CVE-2026-32322

Name of the Vulnerable Software and Affected Versions soroban-sdk versions 22.0.11 through 23.5.3 and 25.3.0

Description The soroban-sdk, a Rust SDK for Soroban contracts, had an issue where the Fr (scalar field) types for BN254 and BLS12-381 compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elements to compare as not-equal when one or both values were unreduced (i.e., greater than or equal to r). Exploitation requires an attacker to supply crafted Fr values through contract inputs and compare them directly without host-side arithmetic operations. Smart contracts relying on Fr equality checks for security-critical logic could produce incorrect results, potentially leading to incorrect authorization decisions or validation bypasses when performing equality checks on user-supplied scalar values. The Fr types are wrappers around U256, and the PartialEq implementation compared the raw U256 values directly. Constructors accepted arbitrary U256 values without reducing them modulo r, meaning two Fr values representing the same field element could have different internal representations and compare as not-equal.

Recommendations Upgrade to version 22.0.11, 23.5.3, or 25.3.0 of soroban-sdk. Review any deployed contracts that accept Fr values as input and compare those values using ==, !=, or assert eq!. These contracts may be vulnerable if an attacker can supply unreduced scalar values to bypass equality checks.