Skip to content

[GHSA-x4xq-7w28-q486] Smart contract Marginal v1 performs unsafe downcast,... #7337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
donnyoregon wants to merge 1 commit into
base: donnyoregon/advisory-improvement-7337
Choose a base branch
from
Open

[GHSA-x4xq-7w28-q486] Smart contract Marginal v1 performs unsafe downcast,... #7337

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 21 additions & 8 deletions advisories/unreviewed/2026/04/GHSA-x4xq-7w28-q486/GHSA-x4xq-7w28-q486.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,35 @@
{
"schema_version": "1.4.0",
"id": "GHSA-x4xq-7w28-q486",
"modified": "2026-04-08T15:31:43Z",
"modified": "2026-04-08T15:32:45Z",
"published": "2026-04-07T18:31:37Z",
"aliases": [
"CVE-2026-4931"
],
"details": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.",
"severity": [
"summary": "MarginalProtocol Marginal v1: Unsafe uint128 downcast in adjust() enables flash loan exploit to settle large debt for negligible cost",
"details": "Ecosystem: EVM (Solidity) — Ethereum mainnet smart contract. No applicable ecosystem\noption exists in the GitHub Advisory Database for on-chain Solidity contracts.\n\nIn MarginalProtocol Marginal v1, the adjust() function in MarginalV1Pool (proxy:\n0x3A6C55Ce74d940A9B5dDDE1E57eF6e70bC8757A7) performs an unsafe downcast of margin0\n(a uint256) to uint128 without overflow validation:\n\n position.margin = uint128(margin0);\n\nIn Solidity, explicit casts do not revert on overflow. When margin0 exceeds\ntype(uint128).max, the upper bits are silently discarded via a bitwise AND operation.\nThe deployed bytecode confirms this at program counter 0x069c:\n\n 0687 | PUSH20(0xffffffffffffffffffffffffffffffff)\n 069c | AND -- uint128 truncation, no overflow check\n\nNo GT opcode. No REVERT. The truncation is unconditional and silent.\n\nAn attacker takes out a flash loan to cause margin0 to exceed 2^128 - 1, silently\ntruncating the stored margin value. This allows the attacker to settle a large debt\nposition for a negligible asset cost (demonstrated at 57,005 wei), effectively draining\ncollateral from liquidity providers. No privileges are required; the attack is executable\natomically within a single transaction. The vulnerability was patched by replacing the\nbare downcast with OpenZeppelin's SafeCast.toUint128().",
"severity": [],
"affected": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
"package": {
"ecosystem": "GitHub Actions",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"type": "PACKAGE",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4931"
},
{
Expand Down Expand Up @@ -44,7 +57,7 @@
"cwe_ids": [
"CWE-681"
],
"severity": "MODERATE",
"severity": "CRITICAL",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T16:16:30Z"
Expand Down
Loading