Incorrect Calculation Affecting package, versions <1.19.7

  • Attack Complexity


  • Integrity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    26 Nov 2020

  • disclosed

    26 Nov 2020

  • credit


How to fix?

Upgrade to version 1.19.7 or higher.

Overview is a Package that implements the Ethereum Virtual Machine.

Affected versions of this package are vulnerable to Incorrect Calculation. It can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode.When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.