VYPR
Moderate severityNVD Advisory· Published Oct 25, 2022· Updated Apr 23, 2025

evm has incorrect is_static parameter for custom stateful precompiles

CVE-2022-39354

Description

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed is_static parameter was incorrect -- it was only set to true if the call came from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses is_static. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
evmcrates.io
< 0.36.00.36.0

Affected products

2
  • ghsa-coords
    Range: < 0.36.0
  • rust-blockchain/evmv5
    Range: < 0.36.0

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.