Skip to content

Integer underflow in Frontier

Moderate severity GitHub Reviewed Published Jan 14, 2022 in polkadot-evm/frontier • Updated Oct 24, 2024

Package

cargo pallet-evm-precompile-modexp (Rust)

Affected versions

<= 1.0.0

Patched versions

None

Description

Impact

A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible.

If you do not use MODEXP precompile in your runtime, then you are not impacted.

Patches

Patches are applied in PR #549.

Workarounds

None.

References

Patch PR: #549

Credits

Thanks to SR-Labs for discovering the security vulnerability, and thanks to PureStake team for the patches.

For more information

If you have any questions or comments about this advisory:

References

@sorpaas sorpaas published to polkadot-evm/frontier Jan 14, 2022
Published by the National Vulnerability Database Jan 14, 2022
Reviewed Jan 14, 2022
Published to the GitHub Advisory Database Jan 14, 2022
Last updated Oct 24, 2024

Severity

Moderate

EPSS score

0.097%
(42nd percentile)

Weaknesses

CVE ID

CVE-2022-21685

GHSA ID

GHSA-cjg2-2fjg-fph4

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.