Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NTdoLTZobWgtZzJwNM4AAvAd
Weight not properly refunded after EVM execution
Impact
Previously, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks -- the adversary can construct blocks with transactions that have large amount of refunds or unused gases with reverts, and as a result inflate up the chain gas prices. This issue is fixed by properly refund unused weights after each EVM execution.
The impact of this issue is limited in that the spamming attack would still be costly for any adversary, and it has no ability to alter any chain state.
Patches
The issue is fixed in https://github.com/paritytech/frontier/pull/851
Workarounds
None.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
- Open an issue in Frontier repo
- Email Wei
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NTdoLTZobWgtZzJwNM4AAvAd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-v57h-6hmh-g2p4, CVE-2022-39242
References:
- https://github.com/paritytech/frontier/security/advisories/GHSA-v57h-6hmh-g2p4
- https://github.com/paritytech/frontier/pull/851
- https://nvd.nist.gov/vuln/detail/CVE-2022-39242
- https://github.com/advisories/GHSA-v57h-6hmh-g2p4
Blast Radius: 1.0
Affected Packages
cargo:frontier
Dependent packages: 0Dependent repositories: 0
Downloads: 629 total
Affected Version Ranges: <= 0.1.0
No known fixed version
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.0.3, 0.1.0