Discrepency in transfer value and actual value due to incorrect truncation in Frontier
Description
Incorrect EVM-to-Substrate balance type conversion in Frontier leads to discrepancy between appeared and actual transfer values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect EVM-to-Substrate balance type conversion in Frontier leads to discrepancy between appeared and actual transfer values.
Vulnerability
CVE-2022-31111 is an incorrect truncation vulnerability in Frontier, the Ethereum compatibility layer for Substrate-based chains. The balance conversion between EVM and Substrate types used low_u128() and unique_saturated_into() improperly, allowing a mismatch between the apparent EVM transfer value and the actual Substrate value transferred. Affected versions include all prior to commit fed5e0a9577c10bea021721e8c2c5c378e16bf66 (master branch) and e3e427fa2e5d1200a784679f8015d4774cedc934 (polkadot-v0.9.22 branch) [1][2][4]. The vulnerability resides in the pallet_evm and pallet_ethereum modules during balance-handling operations such as fee withdrawal and deposit creation [3][4].
Exploitation
No special network position or authentication beyond normal EVM interaction is required to trigger the bug. An attacker can craft a transaction or contract that exploits the incorrect conversion, causing the Substrate system to record a different value than what the EVM contract perceives. The fix commits show that the issue stems from removing the .low_u128() call and properly using UniqueSaturatedInto trait bounds, affecting fee withdrawals and genesis balance deposits [1][2][3]. An attacker only needs the ability to execute EVM transactions on the chain.
Impact
Successful exploitation leads to a discrepancy between the EVM contract's recorded transfer value and the actual Substrate balance transfer. This can break invariant assumptions in smart contracts such as DEXes and ERC-20 tokens, potentially enabling theft of funds or incorrect state accounting within EVM execution. The vulnerability affects only EVM internal states, not Substrate native balances or the node itself [4]. The impact is high severity because it undermines the correctness of core DeFi operations [4].
Mitigation
The vulnerability is patched in Frontier master branch commit fed5e0a9577c10bea021721e8c2c5c378e16bf66 and polkadot-v0.9.22 branch commit e3e427fa2e5d1200a784679f8015d4774cedc934 [1][2][4]. Until patched, operators can temporarily pause EVM execution by setting up a Substrate CallFilter that disables pallet-evm and pallet-ethereum calls [4]. No other workarounds are provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.
- Limit number of iterations in genesis nonce building (#753) · polkadot-evm/frontier@fed5e0a
- Limit number of iterations in genesis nonce building (#753) · polkadot-evm/frontier@e3e427f
- Fix incorrect truncation of low_u128/low_u64 by sorpaas · Pull Request #753 · polkadot-evm/frontier
- Discrepency between appeared EVM transfer value and actual value due to incorrect truncation
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: commits prior to fed5e0a9577c10bea021721e8c2c5c378e16bf66
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The truncation logic when converting between EVM and Substrate balance types was incorrectly implemented."
Attack vector
An attacker can exploit this by performing EVM transfers where the value exceeds the truncation limit. This would lead to a discrepancy between the value that appears to be transferred within the EVM and the actual value recorded in the Substrate balance. The vulnerability affects only the EVM internal states, not the underlying Substrate balance states or the node itself. The advisory recommends temporarily pausing EVM execution to mitigate the risk until a patch can be applied [ref_id=1].
Affected code
The vulnerability lies within the `pallet-evm` and `pallet-ethereum` components of Frontier. Specifically, the `deposit_creating` function within the `GenesisConfig` and `OnChargeEVMTransaction` implementations were affected. The diff shows changes to how balances are converted and deposited, specifically addressing the use of `low_u128()` which caused truncation [ref_id=1, ref_id=2].
What the fix does
The patch modifies the `deposit_creating` function to correctly use `unique_saturated_into` for balance conversions, ensuring that the full balance is applied rather than a truncated value. This is applied to both the genesis build and the `OnChargeEVMTransaction` implementation, resolving the discrepancy between EVM and Substrate balance representations [ref_id=1]. The fix is present in commits fed5e0a9577c10bea021721e8c2c5c378e16bf66 and e3e427fa2e5d1200a784679f8015d4774cedc934 [ref_id=1, ref_id=2].
Preconditions
- configThe system must be running an affected version of Frontier with EVM enabled.
- inputAn EVM transfer operation with a value large enough to trigger the truncation.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/paritytech/frontier/commit/e3e427fa2e5d1200a784679f8015d4774cedc934mitrex_refsource_MISC
- github.com/paritytech/frontier/commit/fed5e0a9577c10bea021721e8c2c5c378e16bf66mitrex_refsource_MISC
- github.com/paritytech/frontier/pull/753mitrex_refsource_MISC
- github.com/paritytech/frontier/security/advisories/GHSA-hc8w-mx86-9fcjmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.