CVE-2018-18920

Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
ethereumpy-evm
0.2.0:alpha.33
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ethereum/py-evm/issues/1448
https://twitter.com/AlexanderFisher/status/1060923428641878019
https://twitter.com/NettaLab/status/1060889400102383617
https://www.reddit.com/r/ethereum/comments/9vkk2g/netta_labs_claim_to_have_found_a_vulnerability_in/e9d3wyx/
https://github.com/ethereum/py-evm/issues/1448
https://twitter.com/AlexanderFisher/status/1060923428641878019
https://twitter.com/NettaLab/status/1060889400102383617
https://www.reddit.com/r/ethereum/comments/9vkk2g/netta_labs_claim_to_have_found_a_vulnerability_in/e9d3wyx/