CVE-2022-37450
Description
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go Ethereum (geth) through 1.10.21 allows attackers to manipulate block timestamps for riskless uncle making (RUM), enabling main-chain replacement and reward inflation.
Vulnerability
Overview
CVE-2022-37450, also known as Riskless Uncle Making (RUM), affects Go Ethereum (geth) versions up to 1.10.21. The vulnerability arises from insufficient validation of block timestamps in the fork choice logic. By manipulating time-difference values, an attacker can cause the network to accept blocks that should be considered uncles (orphaned blocks) as part of the main chain, effectively replacing legitimate blocks [2]. This attack was exploited in the wild from 2020 through 2022.
Attack
Vector
An attacker must be a miner or control mining power to produce blocks. The exploit leverages specific code paths in geth's fork choice implementation, particularly in core/forkchoice.go [3]. By crafting blocks with carefully adjusted timestamps, the attacker can trigger a reorg that favors their blocks over honest ones, even when the honest chain has more accumulated proof-of-work. No special network position is required beyond standard mining capabilities.
Impact
Successful exploitation allows the attacker to replace main-chain blocks, thereby invalidating transactions in the original blocks and gaining block rewards for their own blocks. This enables reward inflation and potential double-spending attacks, undermining the security and consensus guarantees of the Ethereum network [2].
Mitigation
The vulnerability is patched in geth versions after 1.10.21. Users are strongly advised to upgrade to the latest version. The Ethereum Foundation has also released advisory information and recommended immediate updates to prevent ongoing exploitation [1]. There are no known workarounds for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ethereum/go-ethereumGo | <= 1.10.21 | — |
Affected products
2- Go Ethereum/Go Ethereumdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-rqmg-hrg4-fm69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37450ghsaADVISORY
- dx.doi.org/10.13140/RG.2.2.27813.99043ghsax_refsource_MISCWEB
- github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.goghsax_refsource_MISCWEB
- medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fefmitrex_refsource_MISC
- medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fefghsaWEB
- news.ycombinator.com/itemghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.