CVE-2025-66559: Critical Chain Corruption Bug Found in Taiko Alethia Rollup

Overview

CVE-2025-66559 identifies a critical vulnerability in Taiko Alethia, an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum. This vulnerability, present in versions 2.3.1 and earlier, could lead to chain corruption due to an issue in how batches were verified. While no CVSS score is available, the potential impact on the integrity of the rollup is significant.

Technical Details

The vulnerability resides within the TaikoInbox._verifyBatches function (specifically packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) of the Taiko Alethia codebase. The function incorrectly advanced the local transition ID (tid) based on the current blockHash *before* confirming the actual verification of a batch.

Here’s a breakdown of the issue:

1. The function iterated through potential transitions matching the current blockHash.
2. The local tid was advanced to the matching transition index.
3. If the loop broke before verification completion (due to reasons like cooldown windows or invalidated transitions), the function still wrote the *newer* tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId.

This resulted in the last verified batch pointing to a transition index from the *next* batch (often a zeroed value), effectively corrupting the verified chain pointer.

CVSS Analysis

Currently, a CVSS score is not available for CVE-2025-66559. However, given the potential for chain corruption, the severity is considered high. The lack of a CVSS score doesn’t diminish the importance of addressing this vulnerability promptly.

Possible Impact

The chain corruption vulnerability could have significant consequences:

• Loss of Data Integrity: The verified chain pointer becomes unreliable, potentially leading to inconsistencies in the rollup’s state.
• Rollback Attacks: Attackers might exploit the corrupted chain to revert to earlier states, potentially double-spending or manipulating data.
• Stalled Rollup: In severe cases, the chain corruption could halt the rollup’s operation, requiring manual intervention and potentially a hard fork to resolve.
• Erosion of Trust: The integrity of the rollup is paramount, and such vulnerabilities can erode trust in the system.

Mitigation and Patch Steps

The vulnerability has been addressed in a patch. It is strongly recommended that all Taiko Alethia deployments using versions 2.3.1 and earlier be upgraded to the patched version immediately.

The fix likely involves ensuring the `verifiedTransitionId` is only updated *after* successful verification of the batch. Review the provided commit for the specific implementation details.