CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34704 – era-compiler-solidity contains a `xor(zext(cmp), -1)` misoptimization
https://notcve.org/view.php?id=CVE-2024-34704
era-compiler-solidity is the ZKsync compiler for Solidity. The problem occurred during instruction selection in the `DAGCombine` phase while visiting the XOR operation. The issue arises when attempting to fold the expression `!(x cc y)` into `(x !cc y)`. • https://github.com/matter-labs/era-compiler-solidity/security/advisories/GHSA-22pj-7cvw-r3gc • CWE-682: Incorrect Calculation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46232 – era-compiler-vyper First Immutable Variable Initialization vulnerability
https://notcve.org/view.php?id=CVE-2023-46232
era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initialization of the first immutable variable for Vyper contracts meeting certain criteria. The problem arises when there is a String or Array with more 256-bit words allocated than initialized. It results in the second word’s index unset, that is effectively set to 0, so the first immutable value with the actual 0 index is overwritten in the ImmutableSimulator. Version 1.3.10 fixes this issue by setting all indexes in advance. • https://github.com/matter-labs/era-compiler-vyper/commit/8be305a1b9c68d0fd47dad3434224ed85944ca25 https://github.com/matter-labs/era-compiler-vyper/security/advisories/GHSA-h8jv-969m-94r4 https://github.com/matter-labs/era-system-contracts/blob/main/contracts/ImmutableSimulator.sol#L37 • CWE-471: Modification of Assumed-Immutable Data (MAID) •