Incorrect Conversion between Numeric Types in soroban-env-host

Q: How to fix?

There is no fixed version for soroban-env-host .

Introduced: 7 Mar 2026

How to fix?

There is no fixed version for soroban-env-host.

Overview

Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types in the Val to ScVal conversion process during storage key computation. An attacker can cause unexpected contract failures or transaction rollbacks by triggering a conversion failure and subsequently attempting operations involving MuxedAddress objects. This is only exploitable if a Val conversion failure occurs, a cross-contract call failure is handled gracefully, and a MuxedAddress write is attempted within the same transaction.

Workaround

This vulnerability can be mitigated by ensuring that user input is valid and by avoiding contract invocations from malicious contracts. If a failure occurs, retrying the transaction with proper arguments may resolve the issue.

References

GitHub PR

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Incorrect Conversion between Numeric Types Affecting soroban-env-host package, versions >=0.0.0

Severity

Do your applications use this vulnerable package?