CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 1CVE-2022-35936 – Ethermint DoS through Unintended Contract Selfdestruct
https://notcve.org/view.php?id=CVE-2022-35936
Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. • https://github.com/evmos/ethermint/blob/c9d42d667b753147977a725e98ed116c933c76cb/x/evm/keeper/statedb.go#L199-L203 https://github.com/evmos/ethermint/commit/144741832007a26dbe950512acbda4ed95b2a451 https://github.com/evmos/ethermint/security/advisories/GHSA-f92v-grc2-w2fg • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43839 – Drainage of FeeCollector's Block Transaction Fees
https://notcve.org/view.php?id=CVE-2021-43839
Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience. • https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f494932860b9ebe8 https://github.com/crypto-org-chain/cronos/pull/270 https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25835
https://notcve.org/view.php?id=CVE-2021-25835
Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack. Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0 está afectado por una vulnerabilidad de reproducción de transacciones entre cadenas en el módulo EVM. Dado que ethermint usa los mismos esquemas de chainIDEpoch y firma con ethereum para la compatibilidad, una firma verificada en ethereum sigue siendo válida en ethermint con el mismo contenido de msg y chainIDEpoch, que permite el ataque de "cross-chain transaction replay" • https://github.com/cosmos/ethermint/issues/687 https://github.com/cosmos/ethermint/pull/692 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-25837
https://notcve.org/view.php?id=CVE-2021-25837
Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. Due to the inconsistency between the Storage caching cycle and the Tx processing cycle, Storage changes caused by a failed transaction are improperly reserved in memory. Although the bad storage cache data will be discarded at EndBlock, it is still valid in the current block, which enables many possible attacks such as an "arbitrary mint token". Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0, está afectado por la inconsistencia del ciclo de vida de la caché en el módulo EVM. Debido a la inconsistencia entre el ciclo de almacenamiento en caché y el ciclo de procesamiento de Tx, los cambios de almacenamiento causados ?? • https://github.com/iczc/Ethermint-CVE-2021-25837 https://github.com/cosmos/ethermint/issues/667#issuecomment-759284107 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25836
https://notcve.org/view.php?id=CVE-2021-25836
Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. The bytecode set in a FAILED transaction wrongfully remains in memory(stateObject.code) and is further written to persistent store at the Endblock stage, which may be utilized to build honeypot contracts. Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0 está afectado por la inconsistencia del ciclo de vida de la caché en el módulo EVM. El bytecode establecido en una transacción FAILED permanece erróneamente en la memoria (stateObject.code) y se escribe posteriormente en el almacén persistente en la etapa Endblock, que puede ser usado para construir contratos de honeypot • https://github.com/cosmos/ethermint/issues/667#issuecomment-759284303 •