CVE-2026-24783 Overview
CVE-2026-24783 is a numeric truncation error vulnerability in soroban-fixed-point-math, a fixed-point math library for Soroban smart contracts. In versions 1.3.0 and 1.4.0, the mulDiv(x, y, z) function incorrectly handles cases where both the intermediate product (x * y) and the divisor (z) are negative. The flawed logic assumes that if the intermediate product is negative, the final result must also be negative, completely neglecting the sign of the divisor z. This results in rounding being applied in the wrong direction for calculations where both x * y and z are negative.
Critical Impact
Smart contracts using this library for financial calculations may produce incorrect results when handling negative values, potentially leading to fund miscalculations and integrity violations in decentralized finance (DeFi) applications built on Soroban.
Affected Products
- soroban-fixed-point-math version 1.3.0
- soroban-fixed-point-math version 1.4.0
- All signed FixedPoint and SorobanFixedPoint implementations (i64, i128, I256)
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24783 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24783
Vulnerability Analysis
The vulnerability exists in the core mathematical logic of the mulDiv(x, y, z) function, which is designed to compute (x * y) / z with proper handling of intermediate overflows. The function is fundamental to fixed-point arithmetic operations in smart contracts.
The root issue lies in how the function determines the sign of the result and applies rounding. When calculating division with negative numbers, the mathematical rule states that a negative divided by a negative yields a positive result. However, the vulnerable implementation only checks if the intermediate product (x * y) is negative to determine the result's sign, completely ignoring the sign of the divisor z.
This oversight causes fixed_div_floor and fixed_div_ceil functions to apply rounding in the wrong direction when both the intermediate product and divisor are negative. In financial applications, incorrect rounding can compound over many transactions, leading to systematic calculation errors.
Root Cause
The vulnerability stems from CWE-682 (Incorrect Calculation). The mulDiv function's sign determination logic is incomplete - it only considers the sign of the intermediate product (x * y) when deciding whether the result should be negative and how to apply rounding. This fails to account for the fundamental mathematical property that dividing two negative numbers produces a positive result.
Attack Vector
The attack vector is network-based, allowing remote exploitation without authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying smart contracts that use vulnerable versions of soroban-fixed-point-math
- Crafting transactions that invoke fixed_div_floor or fixed_div_ceil with carefully chosen negative values
- The incorrect rounding behavior produces calculation errors that could be exploited for financial gain
- Since smart contracts are immutable once deployed, affected contracts remain vulnerable until upgraded
The vulnerability affects data integrity rather than confidentiality or availability, making it particularly dangerous in financial contexts where precise calculations are critical.
rust-version = "1.89"
[dependencies]
-soroban-sdk = { version = "23.0.2" }
+soroban-sdk = { version = "23" }
Source: GitHub Commit Changes
The patch updates dependencies and includes improved edge case handling along with an enhanced test suite to prevent similar issues.
Detection Methods for CVE-2026-24783
Indicators of Compromise
- Unexpected calculation results in smart contracts performing fixed-point arithmetic with negative values
- Discrepancies in financial balances or token amounts that accumulate over time
- Anomalous transaction outcomes when fixed_div_floor or fixed_div_ceil functions process negative operands
Detection Strategies
- Audit smart contract dependencies to identify usage of soroban-fixed-point-math versions 1.3.0 or 1.4.0
- Implement unit tests specifically targeting division operations with negative intermediate products and negative divisors
- Review smart contract transaction logs for unexpected calculation patterns involving signed integer operations
Monitoring Recommendations
- Monitor deployed contracts for transactions that may trigger the vulnerable code path with negative operands
- Implement logging for division operations in affected contracts to detect calculation anomalies
- Track financial discrepancies that may indicate exploitation of the rounding error
How to Mitigate CVE-2026-24783
Immediate Actions Required
- Upgrade soroban-fixed-point-math to version 1.3.1 or 1.4.1 immediately
- Audit all smart contracts using the vulnerable library versions for potential financial impact
- Review historical transactions for contracts using affected versions to identify any exploitation
Patch Information
The vulnerability has been patched in versions 1.3.1 and 1.4.1 of soroban-fixed-point-math. The fix corrects the sign determination logic in the mulDiv function to properly account for the sign of both the intermediate product and the divisor.
Security patch resources:
Workarounds
- No known workarounds are available for this vulnerability
- Upgrading to patched versions (1.3.1 or 1.4.1) is the only remediation option
- Consider temporarily restricting operations that may involve negative values in affected contracts until upgrade is complete
# Update Cargo.toml dependency to patched version
# Change from vulnerable version:
# soroban-fixed-point-math = "1.3.0" or "1.4.0"
# To patched version:
soroban-fixed-point-math = "1.3.1" # or "1.4.1" depending on your version track
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
