CVE-2022-36058 is a medium-severity vulnerability identified in the elrond-go software, which is the Go language implementation of the Elrond Network protocol. The vulnerability is classified under CWE-20, indicating improper input validation. Specifically, in versions of elrond-go prior to 1.3.34 (i.e., versions <= 1.3.33), the software does not correctly handle certain malformed MultiESDTNFTTransfer transactions. These transactions may be missing a required function name, which is a critical parameter for processing such transfers. When elrond-go processes blocks containing these malformed transactions—whether historical or current—it may encounter unexpected behavior due to the lack of validation on this input. Importantly, this vulnerability does not affect other core functionalities of the protocol such as peer-to-peer messaging, storage, or API requests. The issue was addressed and fixed in version 1.3.34 of elrond-go. There are no known workarounds for this vulnerability, meaning that affected users must upgrade to the patched version to mitigate the risk. No known exploits have been reported in the wild to date. The vulnerability arises from insufficient input validation, which could potentially allow malformed transaction data to disrupt normal block processing or cause errors in the node’s operation, possibly leading to denial of service or inconsistent blockchain state processing if exploited. However, the exact impact depends on how the software handles such invalid input internally, which is not detailed in the provided information.

For European organizations utilizing the Elrond Network, particularly those running nodes or services based on elrond-go versions prior to 1.3.34, this vulnerability could lead to disruptions in blockchain transaction processing. This may affect blockchain validators, exchanges, wallet providers, and any enterprise integrating Elrond blockchain data into their systems. The improper input validation could cause nodes to reject blocks or transactions, potentially leading to denial of service conditions or inconsistent ledger states. While the vulnerability does not impact core network functionalities like P2P messaging or API requests, the integrity and availability of transaction processing could be compromised. This could undermine trust in blockchain operations, delay transaction finality, or cause operational downtime. Given the increasing adoption of blockchain technologies in European financial services, supply chain management, and digital identity solutions, such disruptions could have cascading effects on business operations, regulatory compliance, and customer trust. However, since no known exploits are reported and the vulnerability requires processing of malformed transactions, the immediate risk is moderate but should not be underestimated.

The primary and only effective mitigation is to upgrade all instances of elrond-go to version 1.3.34 or later, where the input validation issue has been fixed. Organizations should audit their infrastructure to identify all nodes and services running vulnerable versions and prioritize patching. Additionally, implement rigorous input validation and transaction filtering at the application layer before transactions are submitted to elrond-go nodes to reduce the risk of malformed transactions reaching the node. Monitoring blockchain node logs for errors related to MultiESDTNFTTransfer transactions can help detect attempts to exploit this vulnerability. Deploying network-level controls to restrict access to blockchain nodes and ensuring that only trusted peers can submit blocks may also reduce exposure. Finally, organizations should maintain up-to-date backups of blockchain node data and configurations to enable rapid recovery in case of disruption.