Reported

October 25, 2022

Issued

February 2, 2023

Package

evm (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Aliases

• CVE-2022-39354
• GHSA-hhc4-47rh-cr34

References

• https://github.com/rust-blockchain/evm/pull/133

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Patched

• >=0.36.0

Description

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine.

A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done.

Prior to version 0.36.0, the passed is_static parameter was incorrect -- it was only set to true if the call came from a direct STATICCALL opcode.

However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses is_static.

For those affected, the issue can lead to possible incorrect state transitions.

Advisory available under CC0-1.0 license.