Exposure of Resource to Wrong Sphere Affecting github.com/crypto-org-chain/cronos package, versions <0.8.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMCRYPTOORGCHAINCRONOS-2976189
- published 7 Aug 2022
- disclosed 7 Aug 2022
- credit yihuang, Tomas Tauber
How to fix?
:
If it is not possible to upgrade to the fixed version, the user can redeploy the same contract, i.e. with identical bytecode, so that the original contract's code is recovered. The new contract deployment restores the bytecode hash -> bytecode entry in the internal state.
Overview
github.com/crypto-org-chain/cronos is a Crypto.org EVM Chain which aims to massively scale the DeFi ecosystem. It is powered by Ethermint, a scalable and interoperable Ethereum, built on Proof-of-Stake with fast-finality using the Cosmos SDK.
Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to a bug in the DeleteAccount function, all contracts sharing identical bytecodes (i.e sharing the same CodeHash) will also stop working once one contract invokes selfdestruct, even though only a single contract invoked the selfdestruct OPCODE.
Remediation:
If it is not possible to upgrade to the fixed version, the user can redeploy the same contract, i.e. with identical bytecode, so that the original contract's code is recovered. The new contract deployment restores the bytecode hash -> bytecode entry in the internal state.