A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible.
If you do not use MODEXP precompile in your runtime, then you are not impacted.
Patches are applied in PR #549.
None.
Patch PR: #549
Thanks to SR-Labs for discovering the security vulnerability, and thanks to PureStake team for the patches.
If you have any questions or comments about this advisory:
* Open an issue in the Frontier repo
| Score | Percentile |
|---|---|
| 0.44% | 62.52% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-cjg2-2fjg-fph4 ↗ |
| CVE | CVE-2022-21685 ↗ |
| CWE id | Name |
|---|---|
| CWE-191 | Integer Underflow (Wrap or Wraparound) |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | pallet-evm-precompile-modexp | <= 1.0.0 | — | — |