Soroban Fixed Point Math CVE-2026-24783
HIGH
GHSA-x5m4-43jf-hh65
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the mulDiv(x, y, z) function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are fixed_div_floor and fixed_div_ceil, as they often use non-constant numbers as the divisor $z$ in mulDiv. This error is present in all signed FixedPoint and SorobanFixedPoint implementations, including i64, i128, and I256. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available.
AnalysisAI
Incorrect rounding in the mulDiv() function of soroban-fixed-point-math versions 1.3.0 and 1.4.0 allows attackers to manipulate fixed-point arithmetic results in Soroban smart contracts by exploiting sign handling when both the intermediate product and divisor are negative. This affects all signed FixedPoint implementations (i64, i128, I256) and could enable financial miscalculations or loss of funds in dependent contracts. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Soroban smart contracts and identify those using soroban-fixed-point-math versions 1.3.0 or 1.4.0. Within 7 days: Apply available vendor patch to all affected systems and conduct regression testing on dependent smart contracts. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today