AIKIDO-2026-10158
github.com/onflow/flow-go is vulnerable to Integer Overflow or Wraparound
30
Low Risk
This Affects:
github.com/onflow/flow-goTL;DR
Affected versions of this package are vulnerable to an EVM gas accounting overflow when processing batched transactions, allowing the total computed gas to wrap around and be underestimated. By crafting a batch with carefully sized offsets/lengths and large individual EVM calls, an attacker can trigger index or arithmetic overflows during decoding or gas aggregation, causing the system to accept and execute high-gas transactions while charging little or no gas. This enables effectively “free” execution, leading to resource exhaustion, denial of service, or economic abuse until proper bounds checks and overflow protections are enforced.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/onflow/flow-go is vulnerable to Integer Overflow or Wraparound in versions 0.1.0 - 0.44.0.
How to fix this
Upgrade the github.com/onflow/flow-go library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant