CVE-2025-66559

Taiko Alethia Pacaya inbox verification pointer corruption

CVSS 8 HIGHEPSS 0.3%CWE-129

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Affected products

taikoxyz · taiko-mono

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8 https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x