The vulnerability is a flaw in the mulDiv function of a fixed‑point math library used by Soroban smart contracts. When both the intermediate product (x * y) and the divisor (z) are negative, the code incorrectly assumes the final result must be negative and applies rounding in the wrong direction. This causes the fixed_div_floor and fixed_div_ceil functions, which often use dynamic divisors, to produce inaccurate results for negative operands. The bug could lead to financial miscalculation or consensus errors in affected contracts, and its CVSS score of 7.5 reflects a high impact on correctness and potential for financial loss.

The issue exists in script3’s soroban-fixed-point-math library versions 1.3.0 and 1.4.0, affecting all signed FixedPoint and SorobanFixedPoint types (i64, i128, I256). Updated releases 1.3.1 and 1.4.1 contain the patch and resolve the problem. Any deployment that references the unpatched versions is vulnerable.

With a CVSS score of 7.5, the vulnerability poses a significant correctness risk, but the EPSS score is below 1%, indicating a low probability of exploitation. The bug is not listed in the CISA KEV catalog. An attacker would need to craft a contract that uses the affected division functions with negative operands to influence calculation results. While no remote code execution or denial‑of‑service effect is possible, the improper rounding could be exploited for financial manipulation or to trigger consensus faults in the network. The attack vector is likely through contract interaction rather than external access, making active exploitation difficult but not impossible in a malicious or buggy context.