CVE-2026-4931

Description

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Marginal v1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// This is a simplified representation of the vulnerable logic
contract MarginalV1 Vulnerability {
    mapping(address => uint256) public debtPosition;

    // Simulating the vulnerability: Unsafe Downcast
    function settleDebt() external payable {
        uint256 currentDebt = debtPosition[msg.sender];
        
        // VULNERABILITY: Direct downcast from uint256 to uint128
        // If currentDebt > type(uint128).max, it wraps around to a small number
        uint128 requiredPayment = uint128(currentDebt);
        
        require(msg.value >= requiredPayment, "Payment too low");
        
        debtPosition[msg.sender] = 0;
        // Attacker clears a massive debt by paying a tiny amount
    }

    function borrow(uint256 amount) external {
        debtPosition[msg.sender] += amount;
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4931
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4931
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4931/
[4] VulDB https://vuldb.com/cve/CVE-2026-4931
[5] https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types
[6] https://github.com/MarginalProtocol
[7] https://marginal.gitbook.io/docs
[8] https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db
[9] https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4931", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:30.410", "lastModified": "2026-04-08T21:27:00.663", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-681"}]}], "references": [{"url": "https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types", "source": "[email protected]"}, {"url": "https://github.com/MarginalProtocol", "source": "[email protected]"}, {"url": "https://marginal.gitbook.io/docs", "source": "[email protected]"}, {"url": "https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db", "source": "[email protected]"}, {"url": "https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041/", "source": "[email protected]"}]}}