GHSA-xw37-57qp-9mm4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xw37-57qp-9mm4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-xw37-57qp-9mm4/GHSA-xw37-57qp-9mm4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xw37-57qp-9mm4
- Aliases
- Published
- 2021-06-29T21:14:16Z
- Modified
- 2023-11-01T04:52:44.820199Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Consensus flaw during block processing in github.com/ethereum/go-ethereum
- Details
-
Impact
A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
Description
A flaw was repoted at 2020-08-11 by John Youngseok Yang (Software Platform Lab), where a particular sequence of transactions could cause a consensus failure.
Tx 1:
senderinvokescaller.callerinvokes0xaa.0xaahas 3 wei, does a self-destruct-to-selfcallerdoes a1 wei-call to0xaa, who thereby has 1 wei (the code in0xaastill executed, since the tx is still ongoing, but doesn't redo the selfdestruct, it takes a different path if callvalue is non-zero)
Tx 2:
senderdoes a 5-wei call to 0xaa. No exec (since no code).
In geth, the result would be that
0xaahad6 wei, whereas OE reported (correctly)5wei. Furthermore, in geth, if the second tx was not executed, the0xaawould be destructed, resulting in0 wei. Thus obviously wrong.It was determined that the root cause was this commit from this PR. The semantics of
createObjectwas subtly changd, into returning a non-nil object (withdeleted=true) where it previously did not if the account had been destructed. This return value caused the new object to inherit the oldbalance:func (s *StateDB) CreateAccount(addr common.Address) { newObj, prev := s.createObject(addr) if prev != nil { newObj.setBalance(prev.data.Balance) } }It was determined that the minimal possible correct fix was
+++ b/core/state/statedb.go @@ -589,7 +589,10 @@ func (s *StateDB) createObject(addr common.Address) (newobj, prev *stateObject) s.journal.append(resetObjectChange{prev: prev, prevdestruct: prevdestruct}) } s.setStateObject(newobj) - return newobj, prev + if prev != nil && !prev.deleted { + return newobj, prev + } + return newobj, nilPatches
See above. The fix was included in Geth
v1.9.20"Paragade".Credits
The bug was found by @johnyangk and reported via bounty@ethereum.org.
For more information
If you have any questions or comments about this advisory: * Open an issue in go-ethereum * Email us at security@ethereum.org
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2021-05-21T21:15:07Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-682" ] }- References
-
- https://github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4
- https://nvd.nist.gov/vuln/detail/CVE-2020-26265
- https://github.com/ethereum/go-ethereum/pull/21080
- https://github.com/ethereum/go-ethereum/pull/21409
- https://github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a
- https://github.com/ethereum/go-ethereum
- https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20
- https://pkg.go.dev/vuln/GO-2021-0105
Affected packages
Go / github.com/ethereum/go-ethereum
Package
- Name
- github.com/ethereum/go-ethereum
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ethereum/go-ethereum