@chainsafe/lodestar@0.36.0-dev.29a37892eb vulnerabilities

Command line interface for lodestar

latest version

1.35.0

latest non vulnerable version

1.36.0-dev.fe5f423da3

first published

5 years ago

latest version published

8 days ago

licenses detected

LGPL-3.0
>=0.6.0 <1.32.0-dev.0be30f63a9; >=1.32.0-dev.7be3d64d70 <1.32.0-dev.7beba714e0; >=1.32.0-dev.8e542ab922 <1.32.0-dev.a2ccd2896c; >=1.32.0-dev.b4d490c7e7 <1.32.0-dev.b5520d9187; >=1.32.0-dev.c64a95d522 <1.32.0-dev.d01ed1576a

View lodestar package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @chainsafe/lodestar package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Buffer Overflow @chainsafe/lodestar is an A Typescript implementation of the beacon chain Affected versions of this package are vulnerable to Buffer Overflow. Possible consensus split given maliciously-crafted `AttesterSlashing` or `ProposerSlashing` being included on-chain. The library represents `uint64` values as native javascript `number`s, causing an issue when those variables with large (greater than 2^53) `uint64` values are included on chain. In those cases, Lodestar may view `_valid_` `AttesterSlashing` or `ProposerSlashing` as `_invalid_,` due to rounding errors in large `number` values. This causes a consensus split, where Lodestar nodes are forked away from the main network. Similarly Lodestar may consider `_invalid_` `ProposerSlashing` as `_valid_`, thus including in proposed blocks that will be considered invalid by the network. Workarounds Use `BigInt` to represent `Slot` and `Epoch` values in `AttesterSlashing` and `ProposerSlashing` objects. `BigInt` is too slow to be used in all `Slot` and `Epoch` cases, so use `BigInt` only when necessary for consensus. How to fix Buffer Overflow? Upgrade `@chainsafe/lodestar` to version 0.36.0 or higher.	<0.36.0

Buffer Overflow

@chainsafe/lodestar is an A Typescript implementation of the beacon chain

Affected versions of this package are vulnerable to Buffer Overflow. Possible consensus split given maliciously-crafted AttesterSlashing or ProposerSlashing being included on-chain.

The library represents uint64 values as native javascript numbers, causing an issue when those variables with large (greater than 2^53) uint64 values are included on chain. In those cases, Lodestar may view _valid_ AttesterSlashing or ProposerSlashing as _invalid_, due to rounding errors in large number values. This causes a consensus split, where Lodestar nodes are forked away from the main network.

Similarly Lodestar may consider _invalid_ ProposerSlashing as _valid_, thus including in proposed blocks that will be considered invalid by the network.

Workarounds

Use BigInt to represent Slot and Epoch values in AttesterSlashing and ProposerSlashing objects. BigInt is too slow to be used in all Slot and Epoch cases, so use BigInt only when necessary for consensus.

How to fix Buffer Overflow?

Upgrade @chainsafe/lodestar to version 0.36.0 or higher.

<0.36.0

Go back to all versions of this package