Transaction validity oversight in pallet-ethereum
Description
Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in pallet-ethereum can cause invalid transactions to be included in the Ethereum block state in pallet-ethereum due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Frontier's `pallet-ethereum` lacked input data size validation, allowing inclusion of invalid Ethereum transactions that are rejected by the EVM engine.
Vulnerability
Prior to commit 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in pallet-ethereum (the Ethereum compatibility layer of Substrate-based networks) did not validate the input data size of Ethereum transactions during block building [1]. This allowed invalid transactions to be included in the Ethereum block state within pallet-ethereum. The affected component is the transact call path in the validate_unsigned function, where no pre-validation of transaction cost (based on input data size) was performed [3][4]. The condition required for the code path to be reachable is submitting a transaction with a gas limit insufficient to cover the cost of its input data bytes.
Exploitation
An attacker needs to submit a crafted Ethereum transaction to the Substrate node via the unsigned transaction pool [3]. No special network position or authentication beyond access to the node's RPC endpoint is required. The transaction must have a gas limit that is too low to pay for the intrinsic cost of the input data (e.g., a simple transfer with a gas limit of 0) [3]. The node will accept the transaction, include it in the block state, but the EVM engine subsequently rejects it during execution.
Impact
The attacker can cause an invalid transaction to appear in the block state as if it were included, but no actual state changes occur in either the internal Ethereum or Substrate state [1]. The transaction is effectively a no-op because the EVM engine rejects it. The impact is further limited by Substrate extrinsic size constraints, which cap the size of any single extrinsic [1]. There is no potential for data alteration, economic loss, or denial-of-service beyond the wasted block space.
Mitigation
The fix, introduced in commit 0b962f218f0cdd796dadfe26c3f09e68f7861b26, adds pre-validation of transaction cost in validate_unsigned by checking that the gas limit can cover the cost of the transaction input data [2][3][4]. The patch was published on August 27, 2021. No workarounds are available aside from applying the patch [1]. Systems running Frontier code prior to this commit are vulnerable.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pallet-ethereumcrates.io | <= 3.0.0 | — |
Affected products
2- paritytech/frontierv5Range: < 0b962f218f0cdd796dadfe26c3f09e68f7861b26
Patches
10b962f218f0cAdd transaction cost pre-validation (#465)
2 files changed · +42 −0
frame/ethereum/src/lib.rs+21 −0 modified@@ -190,6 +190,27 @@ pub mod pallet { fn validate_unsigned(_source: TransactionSource, call: &Self::Call) -> TransactionValidity { if let Call::transact(transaction) = call { + // We must ensure a transaction can pay the cost of its data bytes. + // If it can't it should not be included in a block. + let mut gasometer = evm::gasometer::Gasometer::new( + transaction.gas_limit.low_u64(), + <T as pallet_evm::Config>::config(), + ); + let transaction_cost = match transaction.action { + TransactionAction::Call(_) => { + evm::gasometer::call_transaction_cost(&transaction.input) + } + TransactionAction::Create => { + evm::gasometer::create_transaction_cost(&transaction.input) + } + }; + if gasometer.record_transaction(transaction_cost).is_err() { + return InvalidTransaction::Custom( + TransactionValidationError::InvalidGasLimit as u8, + ) + .into(); + } + if let Some(chain_id) = transaction.signature.chain_id() { if chain_id != T::ChainId::get() { return InvalidTransaction::Custom(
ts-tests/tests/test-transaction-cost.ts+21 −0 added@@ -0,0 +1,21 @@ +import { expect } from "chai"; +import { step } from "mocha-steps"; + +import { describeWithFrontier, customRequest } from "./util"; + +describeWithFrontier("Frontier RPC (Transaction cost)", (context) => { + + step("should take transaction cost into account and not submit it to the pool", async function () { + // Simple transfer with gas limit 0 manually signed to prevent web3 from rejecting client-side. + const tx = await customRequest(context.web3, "eth_sendRawTransaction", [ + "0xf86180843b9aca00809412cb274aad8251c875c0bf6872b67d9983e53fdd01801ca00e28ba2dd3c5a3fd467\ + d4afd7aefb4a34b373314fff470bb9db743a84d674a0aa06e5994f2d07eafe1c37b4ce5471caecec29011f6f5b\ + f0b1a552c55ea348df35f", + ]); + let msg = + "submit transaction to pool failed: Pool(InvalidTransaction(InvalidTransaction::Custom(3)))"; + expect(tx.error).to.include({ + message: msg, + }); + }); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hw4v-5x4h-c3xmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39193ghsaADVISORY
- github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26ghsax_refsource_MISCWEB
- github.com/paritytech/frontier/commit/dd112eghsaWEB
- github.com/paritytech/frontier/pull/465ghsax_refsource_MISCWEB
- github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849aeghsax_refsource_MISCWEB
- github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.