Incorrect Calculation in Frontier leads to inflated Ethereum chain gas prices
Description
Frontier is an Ethereum compatibility layer for Substrate. Prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks -- the adversary can construct blocks with transactions that have large amount of refunds or unused gases with reverts, and as a result inflate up the chain gas prices. The impact of this issue is limited in that the spamming attack would still be costly for any adversary, and it has no ability to alter any chain state. This issue has been patched in commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Frontier for Substrate always accounted worst-case weight, ignoring EVM gas refunds, enabling block spamming to inflate gas prices.
Vulnerability
CVE-2022-39242 is a denial-of-service vulnerability in Frontier, an Ethereum compatibility layer for Substrate. The root cause is that prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658, the worst-case weight was always accounted as the block weight for all cases, even when large EVM gas refunds occurred. This means the system did not properly refund unused weight after EVM execution [1][4].
Exploitation
An adversary can exploit this by constructing blocks with transactions that include large amounts of refunds or unused gases combined with reverts. Because the weight is not refunded, each such transaction consumes the maximum possible block weight, allowing the attacker to fill blocks with these transactions. The attack requires the ability to submit transactions to the network, but no special authentication or privileges beyond normal user access [1][4].
Impact
The attack inflates the chain's gas prices by spamming blocks, causing a form of denial of service. However, the impact is limited: the spamming attack remains costly for the adversary, and it has no ability to alter any chain state. The vulnerability does not allow for theft, data corruption, or permanent disruption beyond temporary gas price manipulation [1][4].
Mitigation
The issue has been patched in commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658 and is fixed in Pull Request #851. There are no known workarounds, so users must update their Frontier deployments to the patched version [1][2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pallet-ethereumcrates.io | <= 3.0.0 | — |
Affected products
2- paritytech/frontierv5Range: < commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v57h-6hmh-g2p4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39242ghsaADVISORY
- github.com/paritytech/frontier/pull/851ghsax_refsource_MISCWEB
- github.com/paritytech/frontier/security/advisories/GHSA-v57h-6hmh-g2p4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.