VYPR
← All advisories
High severityNVD Advisory· Published Dec 21, 2021· Updated Aug 4, 2024

Drainage of FeeCollector's Block Transaction Fees

CVE-2021-43839

Description

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cronos nodes before v0.6.5 allowed crafted MsgEthereumTx transactions to steal validator fees from the Cosmos SDK FeeCollector.

Vulnerability

A bug in Cronos nodes running versions before v0.6.5 allows an attacker to craft a MsgEthereumTx that wraps a transaction without the required extension option. This makes it possible to siphon transaction fees that are normally collected by the Cosmos SDK FeeCollector for the current block. The issue is fixed in Cronos v0.6.5 [1][2][4].

Exploitation

An attacker needs network access to submit transactions to a Cronos node running an affected version. By sending a specially crafted MsgEthereumTx that omits the extension option, the attacker can cause the node to improperly handle fee collection. No special authentication or elevated privileges are required—only the ability to submit a transaction to the network [1][2][4].

Impact

Successful exploitation allows the attacker to divert transaction fees that were intended for the FeeCollector, effectively stealing fees from the current block. This can lead to financial loss for validators and disrupt the expected economic model of the network [1].

Mitigation

The vulnerability is patched in Cronos v0.6.5, released on or around November 30, 2021. The fix explicitly rejects MsgEthereumTx wrapping transactions without the extension option. All validator node operators are recommended to upgrade to v0.6.5 as soon as possible. No tested workarounds are available for older versions [1][2][4].

References
  1. NVD - CVE-2021-43839
  2. Problem: MsgEthereumTx wrapping tx without the extension option is no… · crypto-org-chain/cronos@150ef23
  3. Problem: MsgEthereumTx wrapping tx without the extension option is not rejected by yihuang · Pull Request #270 · crypto-org-chain/cronos

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/crypto-org-chain/cronosGo
< 0.6.50.6.5
github.com/tharsis/ethermintGo
>= 0.8.0, < 0.10.00.10.0
github.com/tharsis/evmosGo
<= 0.4.2
github.com/tharsis/ethermintGo
< 0.7.30.7.3

Affected products

5

Patches

1
150ef237b37a

Problem: MsgEthereumTx wrapping tx without the extension option is not rejected (#270)

https://github.com/crypto-org-chain/cronosyihuangDec 21, 2021via ghsa
commit
4 files changed · +12 7
  • CHANGELOG.md+6 1 modified
    @@ -1,6 +1,11 @@
 # Changelog
 
-## Unreleased
+## v0.6.5
+
+### Bug Fixes
+
+- [cronos#255](https://github.com/crypto-org-chain/cronos/pull/255) fix empty topics in non-breaking way
+- [cronos#270](https://github.com/crypto-org-chain/cronos/pull/270) reject MsgEthereumTx wrapping tx without the extension option.
 
 *November 30, 2021*
  • go.mod+1 1 modified
    @@ -164,4 +164,4 @@ replace github.com/ethereum/go-ethereum => github.com/crypto-org-chain/go-ethere
 // TODO: remove when ibc-go and ethermint upgrades cosmos-sdk
 replace github.com/cosmos/cosmos-sdk => github.com/cosmos/cosmos-sdk v0.44.2
 
-replace github.com/tharsis/ethermint => github.com/crypto-org-chain/ethermint v0.7.2-cronos-4
+replace github.com/tharsis/ethermint => github.com/crypto-org-chain/ethermint v0.7.2-cronos-6
  • gomod2nix.toml+3 3 modified
    @@ -4637,13 +4637,13 @@
     sha256 = "1kmdk3v2a6ygcg2i8jfgz61yzxi4183xgzlaviq9jwsqwc2hj60w"
 
 ["github.com/tharsis/ethermint"]
-  sumVersion = "v0.7.2-cronos-4"
+  sumVersion = "v0.7.2-cronos-6"
   vendorPath = "github.com/crypto-org-chain/ethermint"
   ["github.com/tharsis/ethermint".fetch]
     type = "git"
     url = "https://github.com/crypto-org-chain/ethermint"
-    rev = "82805507f7d2e83cad547736883dc22acfb52440"
-    sha256 = "01f9i8vq0jqml676wvh0kr9kxg7grqw7f64g1qd81pzm2n89k7pn"
+    rev = "60af027299c1aec580240d1e03d66c0ad100934b"
+    sha256 = "1074b5rbi1l0ija5iz4i9d92r1as030wkqllz5ga0ahhqrgb2rp9"
 
 ["github.com/tidwall/gjson"]
   sumVersion = "v1.6.7"
  • go.sum+2 2 modified
    @@ -261,8 +261,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crypto-org-chain/ethermint v0.7.2-cronos-4 h1:NaCc0L5zN2u7B9WofmhJfur23UDebWSRD+Goqf9URnY=
-github.com/crypto-org-chain/ethermint v0.7.2-cronos-4/go.mod h1:J96LX4KvLyl+5jV6+mt/4l6srtGX/mdDTuqQQuYrdDk=
+github.com/crypto-org-chain/ethermint v0.7.2-cronos-6 h1:AHmZ4d/VvRPYEwRK8WATDVgAW+LQLuus9/oRo8UHkB4=
+github.com/crypto-org-chain/ethermint v0.7.2-cronos-6/go.mod h1:J96LX4KvLyl+5jV6+mt/4l6srtGX/mdDTuqQQuYrdDk=
 github.com/crypto-org-chain/go-ethereum v1.10.3-patched h1:kr6oQIYOi2VC8SZwkhlUDZE1Omit/YHVysKMgCB2nes=
 github.com/crypto-org-chain/go-ethereum v1.10.3-patched/go.mod h1:99onQmSd1GRGOziyGldI41YQb7EESX3Q4H41IfJgIQQ=
 github.com/crypto-org-chain/ibc-go v1.2.1-hooks h1:wuWaQqm/TFKJQwuFgjCPiPumQio+Yik5Z1DObDExrrU=

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.