CVE-2023-45130

Frontier opcode SUICIDE touches too many storage values on large contracts

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Frontier is Substrate's Ethereum compatibility layer. Prior to commit aea528198b3b226e0d20cce878551fd4c0e3d5d0, at the end of a contract execution, when opcode SUICIDE marks a contract to be deleted, the software uses `storage::remove_prefix` (now renamed to `storage::clear_prefix`) to remove all storages associated with it. This is a single IO primitive call passing the WebAssembly boundary. For large contracts, the call (without providing a `limit` parameter) can be slow. In addition, for parachains, all storages to be deleted will be part of the PoV, which easily exceed relay chain PoV size limit. On the other hand, Frontier's maintainers only charge a fixed cost for opcode SUICIDE. The maintainers consider the severity of this issue high, because an attacker can craft a contract with a lot of storage values on a parachain, and then call opcode SUICIDE on the contract. If the transaction makes into a parachain block, the parachain will then stall because the PoV size will exceed relay chain's limit. This is especially an issue for XCM transactions, because they can't be skipped. Commit aea528198b3b226e0d20cce878551fd4c0e3d5d0 contains a patch for this issue. For parachains, it's recommended to issue an emergency runtime upgrade as soon as possible. For standalone chains, the impact is less severe because the issue mainly affects PoV sizes. It's recommended to issue a normal runtime upgrade as soon as possible. There are no known workarounds.

Frontier es la capa de compatibilidad con Ethereum de Substrate. Antes del commit aea528198b3b226e0d20cce878551fd4c0e3d5d0, al final de la ejecución de un contrato, cuando el código de operación SUICIDE marca un contrato para ser eliminado, el software utiliza `storage::remove_prefix` (ahora renombrado a `storage::clear_prefix`) para eliminar todos los almacenamientos asociados con él. Esta es una única llamada primitiva de IO que pasa el límite de WebAssembly. Para contratos grandes, la llamada (sin proporcionar un parámetro de "limit") puede ser lenta. Además, para las parachains, todos los almacenamientos que se eliminarán formarán parte del PoV, que excede fácilmente el límite de tamaño de PoV de la cadena de retransmisión. Por otro lado, los mantenedores de Frontier solo cobran un costo fijo por el código de operación SUICIDE. Los mantenedores consideran que la gravedad de este problema es alta, porque un atacante puede crear un contrato con muchos valores de almacenamiento en una parachain y luego llamar al código de operación SUICIDE en el contrato. Si la transacción se convierte en un bloque de parachain, la parachain se detendrá porque el tamaño del PoV excederá el límite de la cadena de retransmisión. Esto es especialmente un problema para las transacciones XCM, porque no se pueden omitir. El commit aea528198b3b226e0d20cce878551fd4c0e3d5d0 contiene un parche para este problema. Para las parachains, se recomienda publicar una actualización de emergencia del tiempo de ejecución lo antes posible. Para las cadenas independientes, el impacto es menos grave porque el problema afecta principalmente a los tamaños de PoV. Se recomienda publicar una actualización del tiempo de ejecución normal lo antes posible. No se conocen workarounds.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-04 CVE Reserved
2023-10-13 CVE Published
2024-09-12 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/paritytech/frontier/commit/aea528198b3b226e0d20cce878551fd4c0e3d5d0	2023-10-24
https://github.com/paritytech/frontier/pull/1212	2023-10-24
https://github.com/paritytech/frontier/security/advisories/GHSA-gc88-2gvv-gp3v	2023-10-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parity Search vendor "Parity"		Frontier Search vendor "Parity" for product "Frontier"				<= 0.1.0 Search vendor "Parity" for product "Frontier" and version " <= 0.1.0"		rust		Affected