VYPR
High severityOSV Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-66559

CVE-2025-66559

Description

Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Taiko/Taiko MonoOSV2 versions
    blobstorage-v0.2.0, branding-v0.4.0, bridge-ui-v2.11.0, …+ 1 more
    • (no CPE)range: blobstorage-v0.2.0, branding-v0.4.0, bridge-ui-v2.11.0, …
    • (no CPE)range: <=2.3.1
  • Taiko/TaikoInboxllm-create
    Range: <=2.3.1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.