Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
25 May 2022
24 May 2022
How to fix?
@chainsafe/lodestar to version 0.36.0 or higher.
@chainsafe/lodestar is an A Typescript implementation of the beacon chain
Affected versions of this package are vulnerable to Buffer Overflow. Possible consensus split given maliciously-crafted
ProposerSlashing being included on-chain.
The library represents
numbers, causing an issue when those variables with large (greater than 2^53)
uint64 values are included on chain. In those cases, Lodestar may view
_invalid_, due to rounding errors in large
number values. This causes a consensus split, where Lodestar nodes are forked away from the main network.
Similarly Lodestar may consider
_valid_, thus including in proposed blocks that will be considered invalid by the network.
BigInt to represent
Epoch values in
BigInt is too slow to be used in all
Epoch cases, so use
BigInt only when necessary for consensus.