evm has incorrect is_static parameter for custom stateful precompiles

Root

Cause

The vulnerability lies in how SputnikVM (the Rust implementation of the Ethereum Virtual Machine, also known as evm) handles the is_static parameter for custom precompiles. Prior to version 0.36.0, the is_static flag was only set to true when a call originated directly from a STATICCALL opcode. However, once a static call context is entered (e.g., via a nested STATICCALL or a static call from another precompile), the context should remain static for all subsequent calls. The bug caused is_static to be incorrectly reported as false in such nested scenarios, violating the Ethereum specification [1][3].

Exploitation

Only custom precompiles that actually inspect the is_static parameter to decide whether to allow stateful operations are affected. An attacker can craft a transaction that enters a static context (e.g., by calling a contract that uses STATICCALL) and then invokes a vulnerable custom precompile. Because the precompile receives is_static = false, it may permit state modifications that should be forbidden in a static context. The attack requires no special privileges and can be performed over the network [1][2].

Impact

Successful exploitation allows an attacker to cause incorrect state transitions, potentially altering contract storage or other persistent data in ways that the EVM's static call mechanism was designed to prevent. The integrity impact is high, while confidentiality and availability are unaffected. The issue is rated CVSS 7.5 (High) [3].

Mitigation

The vulnerability is fixed in evm version 0.36.0. Users should update their dependency to this version or later. No workarounds are available [1][3].