CVE-2022-35936 is a medium-severity vulnerability affecting Ethermint, an Ethereum-compatible library used in the Evmos blockchain ecosystem. The vulnerability arises from a flaw in the DeleteAccount function in Ethermint versions up to and including v0.17.2. When a smart contract invokes the selfdestruct opcode, it permanently removes the contract's bytecode from the internal database storage. However, due to the bug, this deletion affects not only the contract that called selfdestruct but also all other contracts sharing the same bytecode hash (CodeHash). This means that if one contract with a particular bytecode self-destructs, all other contracts with identical bytecode become non-functional, even though they did not invoke selfdestruct themselves. This behavior effectively causes a denial of service (DoS) condition for all affected contracts. The vulnerability is categorized under CWE-668, which relates to exposure of resources to the wrong sphere, indicating improper resource isolation. The issue has been fixed in Ethermint version v0.18.0, but the patch introduces state machine-breaking changes requiring coordinated upgrades for applications relying on Ethermint. As a workaround, users can redeploy the same contract bytecode to restore the internal bytecode hash mapping and recover contract functionality. There are no known exploits in the wild reported to date. The vulnerability impacts the integrity and availability of smart contracts on affected Ethermint-based chains, potentially disrupting decentralized applications relying on shared contract code. Exploitation does not require authentication or user interaction beyond the contract selfdestruct invocation, which is a standard Ethereum opcode. The scope is limited to contracts sharing identical bytecode on affected Ethermint versions prior to v0.18.0.

For European organizations utilizing Ethermint-based blockchain platforms, particularly those deploying smart contracts with shared bytecode, this vulnerability poses a risk of service disruption. The unintended mass disabling of contracts sharing the same bytecode can lead to significant availability issues for decentralized applications, potentially affecting financial transactions, supply chain tracking, or other blockchain-enabled services. Integrity is also impacted as contracts cease functioning unexpectedly, undermining trust in the platform. Organizations relying on these contracts may face operational downtime and loss of business continuity. Since the vulnerability requires a contract to invoke selfdestruct, a malicious or compromised contract could intentionally trigger a denial of service against other contracts sharing the same code, amplifying the risk. The need for coordinated upgrades to patch the vulnerability may complicate remediation efforts, especially for enterprises with complex blockchain deployments. However, the availability of a workaround (redeploying the same contract bytecode) mitigates some impact. Overall, the vulnerability could disrupt blockchain-based services and applications critical to European industries such as finance, logistics, and public services that leverage Ethermint or Evmos chains.

1. Immediate Upgrade: Plan and execute a coordinated upgrade to Ethermint version v0.18.0 or later, despite the state machine-breaking changes. This is the definitive fix and should be prioritized in environments where contract availability is critical. 2. Contract Deployment Practices: Avoid deploying multiple contracts with identical bytecode where possible to reduce the blast radius of this vulnerability. 3. Monitoring and Alerts: Implement monitoring to detect selfdestruct opcode invocations on contracts, enabling rapid response if a contract selfdestructs unexpectedly. 4. Redeployment Workaround: In case of DoS due to this vulnerability, promptly redeploy the affected contract bytecode to restore functionality. Automate this process where feasible to minimize downtime. 5. Access Controls: Restrict permissions and interactions with contracts that have selfdestruct capabilities to trusted entities only, reducing the risk of malicious or accidental triggering. 6. Testing and Validation: Before upgrading, thoroughly test applications with the new Ethermint version to handle state machine changes and ensure compatibility. 7. Documentation and Training: Educate development and operations teams about this vulnerability and the importance of coordinated upgrades and deployment hygiene to prevent recurrence.