VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 6, 2022· Updated Apr 22, 2025

Elrond go can execute on same context checks in VM

CVE-2022-36061

Description

Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. This issue was patched in version 1.3.35. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/ElrondNetwork/elrond-goGo
< 1.3.351.3.35

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Read-only cross-contract calls were not prevented from modifying the called contract's state, allowing state changes during queries that should be side-effect-free."

Attack vector

An attacker deploys a contract A that makes a read-only call to contract B, where contract B's function performs state mutations (e.g., altering token balances). Because the protocol did not enforce read-only semantics across contract boundaries, contract B's state is permanently changed even though the call was marked read-only. The attacker triggers this via a normal transaction that invokes contract A; no special network access is required beyond the ability to deploy and call smart contracts on the Elrond network. The vulnerability is gated behind the `CheckExecuteOnReadOnlyEnableEpoch` configuration flag [patch_id=1641412], meaning it was exploitable on epochs where that flag was not yet enabled.

Affected code

The vulnerability spans the smart contract execution pipeline. The `createInProcessArwenVMV14` function in `process/factory/shard/vmContainerFactory.go` passes the new `CheckExecuteReadOnlyEnableEpoch` parameter to the Arwen VM host. The `createBuiltinFuncs` and `createScQueryElement` functions in `factory/apiResolverFactory.go` and `factory/blockProcessorCreator.go` propagate the `CheckFunctionArgumentEnableEpoch` flag through the built-in functions container. The `config/epochConfig.go` struct adds the two new epoch fields. The core fix resides in the updated `arwen-wasm-vm` and `elrond-vm-common` dependencies (bumped in `go.mod` and `go.sum`).

What the fix does

The patch introduces two new epoch-configuration flags: `CheckFunctionArgumentEnableEpoch` and `CheckExecuteOnReadOnlyEnableEpoch` [patch_id=1641412]. These flags are threaded through the factory layers (`apiResolverFactory.go`, `blockProcessorCreator.go`, `builtInFunctions/factory.go`) and passed to the Arwen VM v1.4 host parameters (`vmContainerFactory.go`). The updated `arwen-wasm-vm` dependency (v1.4.54-rc3) and `elrond-vm-common` dependency (v1.3.12) enforce that read-only calls cannot execute state-modifying operations. The integration test `TestSendNFTToContractWith0FunctionNonPayable` validates that a transaction attempting to send an NFT to a non-payable contract now correctly returns a `UserError` instead of silently altering state.

Preconditions

  • configThe network must be running on an epoch where CheckExecuteOnReadOnlyEnableEpoch is not yet enabled (i.e., epoch < 4 in the default configuration).
  • inputAttacker must be able to deploy a smart contract that performs a read-only call to another contract whose function mutates state.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.