CVE-2021-25836

Vulnerability

Cosmos Network Ethermint versions up to and including v0.4.0 contain a cache lifecycle inconsistency in the EVM module. When a transaction contains multiple messages, if one message succeeds and another fails, the bytecode set during the failed transaction is not properly cleared from the stateObject.code cache. This stale bytecode is then written to persistent storage during the EndBlock stage, even though the failed transaction's state changes are rolled back. The issue is described in the Ethermint issue tracker [1].

Exploitation

An attacker can craft a transaction with multiple messages where the first message deploys a contract (setting bytecode) and the second message fails. The bytecode from the first message persists in the cache and is committed to the store. A subsequent transaction can then interact with that bytecode, effectively creating a honeypot contract that appears legitimate but behaves differently due to the inconsistent state. No special network position is required beyond the ability to submit transactions.

Impact

An attacker can create a honeypot contract that misleads users into interacting with it, potentially leading to loss of funds or other malicious outcomes. The vulnerability allows the persistence of bytecode from failed transactions, breaking the expected atomicity of multi-message transactions and enabling state inconsistencies that can be exploited for deceptive contracts.

Mitigation

The recommended mitigation is to disallow multiple messages in a single transaction, as suggested in the issue [1]. Alternatively, the commitStateDB cache should be cleared for all data in the handler phase after each transaction. As of the reference, no patched version is explicitly mentioned; users should upgrade to a version beyond v0.4.0 if a fix is released, or apply the workaround of not using multi-message transactions.