DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24783: Broken Math on the Blockchain: Inside CVE-2026-24783

#security #cve #cybersecurity

Broken Math on the Blockchain: Inside CVE-2026-24783

Vulnerability ID: CVE-2026-24783
CVSS Score: 7.5
Published: 2026-01-28

A critical logic error in the soroban-fixed-point-math library allows for incorrect rounding and integer overflows in signed arithmetic operations. This vulnerability affects Stellar Soroban smart contracts, potentially turning massive deficits into massive gains via narrowing cast errors.

TL;DR

The soroban-fixed-point-math library for Stellar smart contracts failed to handle 'double negative' division correctly and lacked overflow checks when casting i128 down to i64. This allows attackers to trigger incorrect rounding or wrap negative values into positive ones.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-682
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Integrity Loss (Calculation Errors)
  • Exploit Status: PoC Available
  • Language: Rust

Affected Systems

  • Soroban Smart Contracts
  • Stellar DeFi Protocols
  • Rust applications using soroban-fixed-point-math
  • soroban-fixed-point-math: 1.3.0 (Fixed in: 1.3.1)
  • soroban-fixed-point-math: 1.4.0 (Fixed in: 1.4.1)

Code Analysis

Commit: c9233f7

Fix incorrect rounding logic and add TryFrom checks

fn mul_div(...) {
-    if r < 0 || (r > 0 && z < 0) { ... }
+    if (r < 0 && z > 0) || (r > 0 && z < 0) { ... }
}
Enter fullscreen mode Exit fullscreen mode

Commit: 0afac18

Additional test cases for signed math

Exploit Details

  • Hypothetical: Mathematical PoC demonstrating integer wrap-around on negative down-casting.

Mitigation Strategies

  • Upgrade soroban-fixed-point-math to version 1.4.1 or higher.
  • Replace manual bounds checks with Rust's TryFrom trait for safe casting.
  • Audit all smart contracts for manual implementation of signed division logic.

Remediation Steps:

  1. Open Cargo.toml in your Soroban project.
  2. Locate soroban-fixed-point-math dependency.
  3. Update the version constraint to ^1.4.1.
  4. Run cargo update to fetch the patched crate.
  5. Run cargo test to ensure no regression in math logic.

References

Read the full report for CVE-2026-24783 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)