漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction
Vulnerability Description
soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elements to compare as not-equal when one or both values were unreduced (i.e., >= r). The vulnerability requires an attacker to supply crafted Fr values through contract inputs, and compare them directly without going through host-side arithmetic operations. Smart contracts that rely on Fr equality checks for security-critical logic could produce incorrect results. The impact depends on how the affected contract uses Fr equality comparisons, but can result in incorrect authorization decisions or validation bypasses in contracts that perform equality checks on user-supplied scalar values. This vulnerability is fixed in 22.0.11, 23.5.3, and 25.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
不充分的比较
Vulnerability Title
rs-soroban-sdk 安全漏洞
Vulnerability Description
rs-soroban-sdk是Stellar开源的一个Rust开发者工具包。 rs-soroban-sdk 22.0.11之前版本、23.5.3之前版本和25.3.0之前版本存在安全漏洞,该漏洞源于BN254和BLS12-381的Fr类型比较值未先进行模约简,可能导致依赖Fr相等性检查的安全关键逻辑产生错误结果,绕过授权决策或验证。
CVSS Information
N/A
Vulnerability Type
N/A