GitHub Advisory DatabaseGHSA-XW37-57QP-9MM4Consensus flaw during block processing in github.com/ethereum/go-ethereum
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
3.5 Low
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
19.4%
Impact
A consensus-vulnerability in Geth could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
Description
A flaw was repoted at 2020-08-11 by John Youngseok Yang (Software Platform Lab), where a particular sequence of transactions could cause a consensus failure.
-
Tx 1:
senderinvokescaller.callerinvokes0xaa.0xaahas 3 wei, does a self-destruct-to-selfcallerdoes a1 wei-call to0xaa, who thereby has 1 wei (the code in0xaastill executed, since the tx is still ongoing, but doesn’t redo the selfdestruct, it takes a different path if callvalue is non-zero)
-
Tx 2:
senderdoes a 5-wei call to 0xaa. No exec (since no code).
In geth, the result would be that 0xaa had 6 wei, whereas OE reported (correctly) 5 wei. Furthermore, in geth, if the second tx was not executed, the 0xaa would be destructed, resulting in 0 wei. Thus obviously wrong.
It was determined that the root cause was this commit from this PR. The semantics of createObject was subtly changd, into returning a non-nil object (with deleted=true) where it previously did not if the account had been destructed. This return value caused the new object to inherit the old balance:
func (s *StateDB) CreateAccount(addr common.Address) {
newObj, prev := s.createObject(addr)
if prev != nil {
newObj.setBalance(prev.data.Balance)
}
}
It was determined that the minimal possible correct fix was
+++ b/core/state/statedb.go
@@ -589,7 +589,10 @@ func (s *StateDB) createObject(addr common.Address) (newobj, prev *stateObject)
s.journal.append(resetObjectChange{prev: prev, prevdestruct: prevdestruct})
}
s.setStateObject(newobj)
- return newobj, prev
+ if prev != nil && !prev.deleted {
+ return newobj, prev
+ }
+ return newobj, nil
Patches
See above. The fix was included in Geth v1.9.20 “Paragade”.
Credits
The bug was found by @johnyangk and reported via [email protected].
For more information
If you have any questions or comments about this advisory:
- Open an issue in go-ethereum
- Email us at [email protected]
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/ethereum/go-ethereum | lt | 1.9.20 |
References
github.com/advisories/GHSA-xw37-57qp-9mm4
github.com/ethereum/go-ethereum/commit/87c0ba92136a75db0ab2aba1046d4a9860375d6a
github.com/ethereum/go-ethereum/pull/21080
github.com/ethereum/go-ethereum/pull/21409
github.com/ethereum/go-ethereum/releases/tag/v1.9.20
github.com/ethereum/go-ethereum/security/advisories/GHSA-xw37-57qp-9mm4
nvd.nist.gov/vuln/detail/CVE-2020-26265
pkg.go.dev/vuln/GO-2021-0105
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
3.5 Low
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
19.4%