Description
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.
Published: 2026-04-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Financial Loss Due to Unauthorized Debt Settlement
Action: Apply Patch
AI Analysis

Impact

The smart contract in Marginal v1 contains an unsafe downcast that allows an attacker to settle a large debt position for a negligible asset cost. This flaw represents an incorrect conversion between numeric types, enabling the manipulation of debt settlement logic and potentially draining or redirecting funds. The vulnerability compromises the integrity of the contract’s financial operations, allowing attackers to achieve large economic gains at minimal expense.

Affected Systems

The vulnerability affects the Marginal Smart Contract, specifically version 1 of the contract. No additional version granularity is reported. The issue is tied directly to the smart contract code deployed by the Marginal Protocol team.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate risk, while the EPSS score of less than 1% suggests a low likelihood that attackers have already leveraged this flaw in the wild. The vulnerability is not currently listed in CISA’s KEV catalog, implying no known active exploitation. The attack vector is inferred to be an on‑chain transaction that triggers the unsafe downcast during debt settlement, requiring only that an attacker crafts a transaction to the vulnerable contract.

Generated by OpenCVE AI on April 8, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security update that corrects the unsafe downcast in Marginal v1.
  • If no update is available yet, avoid sending transactions that settle debt positions on the vulnerable contract until a fix is released.
  • Continuously monitor the vendor’s advisory channels for a patch announcement.

Generated by OpenCVE AI on April 8, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Marginal
Marginal marginal Smart Contract
Vendors & Products Marginal
Marginal marginal Smart Contract

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.
Title CVE-2026-4931
References

Subscriptions

Marginal Marginal Smart Contract
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-08T14:45:03.884Z

Reserved: 2026-03-26T19:31:49.120Z

Link: CVE-2026-4931

cve-icon Vulnrichment

Updated: 2026-04-08T14:42:46.362Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:30.410

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-4931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:15Z

Weaknesses