VYPR

CWE-682

Incorrect Calculation

PillarDraftLikelihood: High

Description

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

When product performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-128 · CAPEC-129

CVEs mapped to this weakness (64)

page 3 of 4
  • CVE-2025-26622Feb 21, 2025
    risk 0.00cvss epss 0.00

    vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This…

  • CVE-2024-32873Jun 6, 2024
    risk 0.00cvss epss 0.00

    Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

  • CVE-2023-42460Sep 26, 2023
    risk 0.00cvss epss 0.01

    Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue…

  • CVE-2023-28431Mar 22, 2023
    risk 0.00cvss epss 0.01

    Frontier is an Ethereum compatibility layer for Substrate. Frontier's `modexp` precompile uses `num-bigint` crate under the hood. In the implementation prior to pull request 1017, the cases for modulus being even and modulus being odd are treated separately. Odd modulus uses the…

  • CVE-2023-24533Mar 8, 2023
    risk 0.00cvss epss 0.01

    Multiplication of certain unreduced P-256 scalars produce incorrect results. There are no protocols known at this time that can be attacked due to this.

  • CVE-2023-26488Mar 3, 2023
    risk 0.00cvss epss 0.01

    OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token…

  • CVE-2022-39242Sep 24, 2022
    risk 0.00cvss epss 0.01

    Frontier is an Ethereum compatibility layer for Substrate. Prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks -- the…

  • CVE-2022-31198Aug 1, 2022
    risk 0.00cvss epss 0.01

    OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected…

  • CVE-2022-31169Jul 21, 2022
    risk 0.00cvss epss 0.01

    Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2.…

  • CVE-2022-31104Jun 27, 2022
    risk 0.00cvss epss 0.02

    Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is…

  • CVE-2022-22138Jun 17, 2022
    risk 0.00cvss epss 0.01

    All versions of package fast-string-search are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation.

  • CVE-2022-30600May 18, 2022
    risk 0.00cvss epss 0.05

    A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

  • CVE-2022-23066May 9, 2022
    risk 0.00cvss epss 0.02

    In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may…

  • CVE-2022-23628Feb 9, 2022
    risk 0.00cvss epss 0.01

    OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse…

  • CVE-2021-41222Nov 5, 2021
    risk 0.00cvss epss 0.00

    TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SplitV` can trigger a segfault is an attacker supplies negative arguments. This occurs whenever `size_splits` contains more than one value and at least one value is negative.…

  • CVE-2021-41122Oct 5, 2021
    risk 0.00cvss epss 0.01

    Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.

  • CVE-2021-38194Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. It does not enforce any constraints in the FieldVar::mul_by_inverse method. Thus, a prover can produce a proof that is unsound but is nonetheless verified.

  • CVE-2020-26265Dec 11, 2020
    risk 0.00cvss epss 0.01

    Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included…

  • CVE-2020-26240Nov 25, 2020
    risk 0.00cvss epss 0.02

    Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the…

  • CVE-2020-26241Nov 25, 2020
    risk 0.00cvss epss 0.01

    Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at…