Integer underflow in Frontier

Description

Impact

A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible.

If you do not use MODEXP precompile in your runtime, then you are not impacted.

Patches

Patches are applied in PR #549.

Workarounds

None.

References

Patch PR: #549

Credits

Thanks to SR-Labs for discovering the security vulnerability, and thanks to PureStake team for the patches.

For more information

If you have any questions or comments about this advisory:
* Open an issue in the Frontier repo

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2022-01-14 21:03:36 UTC
Updated
2024-10-24 21:50:43 UTC
GitHub reviewed
2022-01-14 19:58:51 UTC
NVD published
2022-01-14

EPSS Score

Score Percentile
0.44% 62.52%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-191 Integer Underflow (Wrap or Wraparound)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust pallet-evm-precompile-modexp <= 1.0.0

References

cvelogic Threat Intelligence