Improper Input Validation Affecting frontier package, versions *
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-FRONTIER-1731711
- published 14 Oct 2021
- disclosed 13 Oct 2021
- credit Unknown
Introduced: 13 Oct 2021
CVE-2021-41138 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Improper Input Validation. In pallet-ethereum, a part of the transaction validation logic was called in the transaction pool validation, but not in block execution. Malicious actors can abuse this to put invalid transactions into a block.
The attack is limited such that the signature is always validated, and the majority of the validation is done again in the subsequent pallet-evm execution logic. However, a chain ID replay attack is possible. Moreover, spamming attacks are of main concern, while they are limited by substrate block size limits and other factors.