Skip to main content

CVE-2022-35936: CWE-668: Exposure of Resource to Wrong Sphere in evmos ethermint

Medium
Published: Fri Aug 05 2022 (08/05/2022, 12:55:11 UTC)
Source: CVE
Vendor/Project: evmos
Product: ethermint

Description

Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. A workaround is available. If a contract is subject to DoS due to this issue, the user can redeploy the same contract, i.e. with identical bytecode, so that the original contract's code is recovered. The new contract deployment restores the `bytecode hash -> bytecode` entry in the internal state.

AI-Powered Analysis

AILast updated: 06/21/2025, 23:55:40 UTC

Technical Analysis

CVE-2022-35936 is a medium-severity vulnerability affecting Ethermint, an Ethereum-compatible library used in the Evmos blockchain ecosystem. The vulnerability arises from a flaw in the DeleteAccount function in Ethermint versions up to and including v0.17.2. When a smart contract invokes the selfdestruct opcode, it permanently removes the contract's bytecode from the internal database storage. However, due to the bug, this deletion affects not only the contract that called selfdestruct but also all other contracts sharing the same bytecode hash (CodeHash). This means that if one contract with a particular bytecode self-destructs, all other contracts with identical bytecode become non-functional, even though they did not invoke selfdestruct themselves. This behavior effectively causes a denial of service (DoS) condition for all affected contracts. The vulnerability is categorized under CWE-668, which relates to exposure of resources to the wrong sphere, indicating improper resource isolation. The issue has been fixed in Ethermint version v0.18.0, but the patch introduces state machine-breaking changes requiring coordinated upgrades for applications relying on Ethermint. As a workaround, users can redeploy the same contract bytecode to restore the internal bytecode hash mapping and recover contract functionality. There are no known exploits in the wild reported to date. The vulnerability impacts the integrity and availability of smart contracts on affected Ethermint-based chains, potentially disrupting decentralized applications relying on shared contract code. Exploitation does not require authentication or user interaction beyond the contract selfdestruct invocation, which is a standard Ethereum opcode. The scope is limited to contracts sharing identical bytecode on affected Ethermint versions prior to v0.18.0.

Potential Impact

For European organizations utilizing Ethermint-based blockchain platforms, particularly those deploying smart contracts with shared bytecode, this vulnerability poses a risk of service disruption. The unintended mass disabling of contracts sharing the same bytecode can lead to significant availability issues for decentralized applications, potentially affecting financial transactions, supply chain tracking, or other blockchain-enabled services. Integrity is also impacted as contracts cease functioning unexpectedly, undermining trust in the platform. Organizations relying on these contracts may face operational downtime and loss of business continuity. Since the vulnerability requires a contract to invoke selfdestruct, a malicious or compromised contract could intentionally trigger a denial of service against other contracts sharing the same code, amplifying the risk. The need for coordinated upgrades to patch the vulnerability may complicate remediation efforts, especially for enterprises with complex blockchain deployments. However, the availability of a workaround (redeploying the same contract bytecode) mitigates some impact. Overall, the vulnerability could disrupt blockchain-based services and applications critical to European industries such as finance, logistics, and public services that leverage Ethermint or Evmos chains.

Mitigation Recommendations

1. Immediate Upgrade: Plan and execute a coordinated upgrade to Ethermint version v0.18.0 or later, despite the state machine-breaking changes. This is the definitive fix and should be prioritized in environments where contract availability is critical. 2. Contract Deployment Practices: Avoid deploying multiple contracts with identical bytecode where possible to reduce the blast radius of this vulnerability. 3. Monitoring and Alerts: Implement monitoring to detect selfdestruct opcode invocations on contracts, enabling rapid response if a contract selfdestructs unexpectedly. 4. Redeployment Workaround: In case of DoS due to this vulnerability, promptly redeploy the affected contract bytecode to restore functionality. Automate this process where feasible to minimize downtime. 5. Access Controls: Restrict permissions and interactions with contracts that have selfdestruct capabilities to trusted entities only, reducing the risk of malicious or accidental triggering. 6. Testing and Validation: Before upgrading, thoroughly test applications with the new Ethermint version to handle state machine changes and ensure compatibility. 7. Documentation and Training: Educate development and operations teams about this vulnerability and the importance of coordinated upgrades and deployment hygiene to prevent recurrence.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2022-07-15T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9849c4522896dcbf67ba

Added to database: 5/21/2025, 9:09:29 AM

Last enriched: 6/21/2025, 11:55:40 PM

Last updated: 8/14/2025, 9:37:22 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats