Always-Incorrect Control Flow Implementation Affecting evm Open this link in a new tab package, versions <0.31.0
Attack Complexity
High
Scope
Changed
Confidentiality
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-RUBY-EVM-1759748
-
published
20 Oct 2021
-
disclosed
19 Oct 2021
-
credit
Unknown
Introduced: 19 Oct 2021
CVE-2021-41153 Open this link in a new tabHow to fix?
Upgrade evm to version 0.31.0 or higher.
Overview
evm is a SputnikVM: Rust Ethereum Virtual Machine Implementation.
Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation as the opcode's condition is checked after the destination validity check, while according to Geth and OpenEthereum, the condition check should happen before the destination validity check.
This is an high severity security advisory if using evm crate for Ethereum mining.
This is a low severity security advisory if using evm crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory.