- 2025
Ethereum Consensus (Lighthouse, dynamic-ssz). Implementations incorrectly accept any non-zero byte as true (e.g., 0x02), breaking canonical serialization guarantees. Can lead to validator slashing inconsistencies across clients. [Link] - 2025
Ethereum Consensus (Lighthouse, Lodestar, ethereum/remerkleable). Affects EIP-6800 ExecutionPayload.execution_witness field. SSZ Union types with None variant incorrectly accept trailing garbage bytes, causing different HashTreeRoot computations and immediate consensus splits in block validation. [Link] - 2025
Ethereum Consensus (ethereum/remerkleable). SSZ implementation fails to enforce strict offset contiguity in variable-length containers. Attackers can inject hidden 'ghost' bytes between data blocks, creating non-canonical encodings that pass validation but hash differently, leading to consensus splits. [Link] - 2025
BitVM. lshift_prevent_overflow assumes helper shifters populate altstack with (N_LIMBS−1) intermediate limbs and unconditionally pulls exactly (N_LIMBS−1) items back, causing stack underflow or silent stack-shape mismatch. [Link] - 2025
BitVM. is_negative / is_positive misclassify when HEAD_OFFSET == 1. is_negative is always true, is_positive is always false. [Link] - 2025
rust-bitcoin-m31. n31_neg computes (-MOD - x) and rewrites only when result equals -(MOD). For x ∈ {-MOD, 0}, returns 0 instead of canonical twisted zero -(MOD). [Link] - 2023
Circomlib-ml. IsPositive() treats zero as a positive number. [Link] - 2022
Circom-pairing. Circom-bigint BigMod/BigMod2 incorrectly omits range checks on the remainder. [Link]