CVE-2018-18920
HIGHPy-EVM v0.2.0-alpha.33 - Denial of Service via Invalid Opcode in Bytecode Execution
Title source: llmDescription
Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://twitter.com/AlexanderFisher/status/1060923428641878019
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ethereum/py-evm/issues/1448
Third Party Advisory x_refsource_misc
https://twitter.com/NettaLab/status/1060889400102383617
Third Party Advisory x_refsource_misc
https://www.reddit.com/r/ethereum/comments/9vkk2g/netta_labs_claim_to_have_found_a_vulnerability_in/e9d3wyx/
Scores
CVSS v3
8.8
EPSS
0.0290
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
Status
published
Products (2)
ethereum/py-evm
0.2.0 alpha.33
pypi/py-evm
0 - 0.2.0a33PyPI
Published
Nov 12, 2018
Tracked Since
Feb 18, 2026