Specification non-compliance in JUMPI

Description

Impact

In evm crate < 0.31.0, JUMPI opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check.

Patches

This is a high severity security advisory if you use evm crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after 0.31.0.

This is a low severity security advisory if you use evm crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is not recommended to update to on or after 0.31.0 until all the normal chain upgrade preparations have been done. If you use Frontier or other pallet-evm based Substrate blockchain, please ensure to update your spec_version before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this.

Workarounds

If you are dependent on an older version of evm and cannot update due to API interface changes, please contact Wei by email ([email protected]), who will be happy to help you to publish patch releases for older evm versions.

References

Fix PR: https://github.com/rust-blockchain/evm/pull/67

For more information

If you have any questions or comments about this advisory:
* Open an issue in the evm repo.

Special thanks

Special thanks to @rakita for reporting this issue.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2021-10-19 15:28:35 UTC
Updated
2023-02-01 05:06:13 UTC
GitHub reviewed
2021-10-18 21:06:02 UTC
NVD published
2021-10-18

EPSS Score

Score Percentile
0.33% 55.64%

CVSS Scores

Base score Version Severity Vector
8.7 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-670 Always-Incorrect Control Flow Implementation

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust evm < 0.31.0 0.31.0

References

cvelogic Threat Intelligence