Impact
The truncation done when converting between EVM balance type and Substrate balance type was incorrectly implemented. This leads to possible discrepancy between appeared EVM transfer value and actual Substrate value transferred. This is a high severity vulnerability because it affects EVM contracts that reads EVM transfer values in their codes including DEX and ERC20 tokens. It is recommended that an emergency upgrade to be planned and EVM execution temporarily paused in the mean time.
Patches
The issue is patched in Frontier master branch commit fed5e0a and polkadot-v0.9.22 branch commit e3e427f
Workarounds
This vulnerability affects only EVM internal states, but not Substrate balance states or node. You can temporarily pause EVM execution (by setting up a Substrate CallFilter that disables pallet-evm and pallet-ethereum calls) before the patch can be applied.
References
Fix PR: #753
For more information
If you have any questions or comments about this advisory:
Impact
The truncation done when converting between EVM balance type and Substrate balance type was incorrectly implemented. This leads to possible discrepancy between appeared EVM transfer value and actual Substrate value transferred. This is a high severity vulnerability because it affects EVM contracts that reads EVM transfer values in their codes including DEX and ERC20 tokens. It is recommended that an emergency upgrade to be planned and EVM execution temporarily paused in the mean time.
Patches
The issue is patched in Frontier master branch commit fed5e0a and polkadot-v0.9.22 branch commit e3e427f
Workarounds
This vulnerability affects only EVM internal states, but not Substrate balance states or node. You can temporarily pause EVM execution (by setting up a Substrate
CallFilterthat disablespallet-evmandpallet-ethereumcalls) before the patch can be applied.References
Fix PR: #753
For more information
If you have any questions or comments about this advisory: