Frontier opcode SUICIDE touches too many storage values on large contracts
Description
Frontier's SUICIDE opcode (SELFDESTRUCT) can trigger a single unbounded storage clear call, causing parachain stalls due to excessive PoV size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Frontier's SUICIDE opcode (SELFDESTRUCT) can trigger a single unbounded storage clear call, causing parachain stalls due to excessive PoV size.
Vulnerability
In the Frontier Ethereum compatibility layer for Substrate, prior to commit aea528198b3b226e0d20cce878551fd4c0e3d5d0, the SUICIDE opcode (also known as SELFDESTRUCT) at the end of a contract execution uses storage::remove_prefix (later renamed storage::clear_prefix) to remove all storage entries associated with the contract being deleted. This is performed in a single IO primitive call crossing the WebAssembly boundary [1][3]. For contracts with many storage values, this operation can be slow and, critically for parachains, all deleted storage items become part of the Proof-of-Validation (PoV) block. The maintainers charge only a fixed cost for SUICIDE, regardless of the number of storage entries [3]. No limit parameter is supplied to the storage clear call, so it removes all storage in one batch [1].
Exploitation
An attacker can craft a contract that writes a very large number of storage key-value pairs and then calls the SUICIDE opcode. On a parachain, if the transaction containing this SUICIDE call is included in a block, the PoV size will exceed the relay chain's PoV size limit, causing the parachain to stall because the block cannot be validated by the relay chain [3]. The attacker only needs the ability to deploy and execute contracts on the parachain; no special privileges are required. XCM transactions that reference such a contract cannot be skipped, making the issue particularly impactful for cross-chain messages [3].
Impact
Successful exploitation leads to a denial-of-service condition: the parachain stalls because the relay chain rejects PoV blocks that exceed the size limit. This prevents new blocks from being produced on the parachain, halting all activity until the network recovers. For parachains, the severity is high. On standalone chains, the impact is reduced because there is no relay chain PoV limit, but the unbounded storage clear call may still cause a slowdown [3].
Mitigation
The fix is implemented in commit aea528198b3b226e0d20cce878551fd4c0e3d5d0 (PR #1212) [1][2]. The patch introduces asynchronous suiciding by marking accounts as Suicided and deferring the actual storage deletion, avoiding an unbounded single call [2]. For parachains, an emergency runtime upgrade is recommended as soon as possible. For standalone chains, a normal runtime upgrade is advised. As of the advisory publication (October 2023), no known workarounds exist [3]. The vulnerability is not listed on CISA's KEV catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 0.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The SUICIDE opcode's storage cleanup mechanism can be exploited to cause denial-of-service by exceeding relay chain Proof-of-Validity (PoV) size limits."
Attack vector
An attacker can deploy a contract with a large number of storage values on a parachain. Subsequently, calling the SUICIDE opcode on this contract triggers a cleanup operation that attempts to remove all associated storage. If this operation results in a PoV size exceeding the relay chain's limit, the parachain block will stall, especially impacting non-skippable XCM transactions [ref_id=1].
Affected code
The vulnerability lies within the `remove_account` function in the Frontier pallet, specifically the line `let _ = <AccountStorages<T>>::remove_prefix(address, None);` which was removed in favor of a new approach using `Suicided` storage and `inc_account_nonce` [ref_id=1].
What the fix does
The patch introduces a mechanism to handle contract suiciding more efficiently. Instead of directly clearing all storage prefixes, it now marks accounts as 'suicided' and increments their nonce. This change prevents the unbounded storage removal that could previously lead to PoV size exhaustion [ref_id=1]. For parachains, an emergency runtime upgrade is recommended, while standalone chains can opt for a normal runtime upgrade.
Preconditions
- inputAttacker must be able to deploy a contract with a large storage footprint on a parachain.
- configThe target must be a parachain utilizing Frontier's Ethereum compatibility layer prior to the fix.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/paritytech/frontier/commit/aea528198b3b226e0d20cce878551fd4c0e3d5d0mitrex_refsource_MISC
- github.com/paritytech/frontier/pull/1212mitrex_refsource_MISC
- github.com/paritytech/frontier/security/advisories/GHSA-gc88-2gvv-gp3vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.