CVE-2022-35936 – Ethermint DoS through Unintended Contract Selfdestruct

https://notcve.org/view.php?id=CVE-2022-35936

Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. • https://github.com/evmos/ethermint/blob/c9d42d667b753147977a725e98ed116c933c76cb/x/evm/keeper/statedb.go#L199-L203 https://github.com/evmos/ethermint/commit/144741832007a26dbe950512acbda4ed95b2a451 https://github.com/evmos/ethermint/security/advisories/GHSA-f92v-grc2-w2fg • CWE-668: Exposure of Resource to Wrong Sphere •