Always-Incorrect Control Flow Implementation Affecting evm Open this link in a new tab package, versions <0.31.0


0.0
high
  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-RUBY-EVM-1759748

  • published

    20 Oct 2021

  • disclosed

    19 Oct 2021

  • credit

    Unknown

How to fix?

Upgrade evm to version 0.31.0 or higher.

Overview

evm is a SputnikVM: Rust Ethereum Virtual Machine Implementation.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation as the opcode's condition is checked after the destination validity check, while according to Geth and OpenEthereum, the condition check should happen before the destination validity check.

This is an high severity security advisory if using evm crate for Ethereum mining.

This is a low severity security advisory if using evm crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory.

References