CVE-2022-36061 is a medium-severity vulnerability identified in the Elrond Network's Go implementation (elrond-go) prior to version 1.3.35. The vulnerability stems from improper initialization (CWE-665) related to how read-only calls between smart contracts are handled. Specifically, when a smart contract (Contract A) invokes another contract (Contract B) in read-only mode, the expectation is that Contract B's state remains unchanged. However, due to this flaw, if Contract B's called function modifies its state during such a read-only call, those changes persist, effectively bypassing the intended read-only restriction. This behavior can lead to unintended state alterations that were not anticipated by the original smart contract developers, potentially causing logic errors, state inconsistencies, or exploitation by malicious actors to manipulate contract states without proper authorization. The issue was addressed and patched in elrond-go version 1.3.35. No known exploits have been reported in the wild, and no workarounds exist aside from upgrading to the patched version. This vulnerability affects all deployments running elrond-go versions earlier than 1.3.35, impacting the integrity of smart contract operations within the Elrond blockchain ecosystem.

For European organizations utilizing the Elrond Network, particularly those deploying or interacting with smart contracts on the elrond-go platform, this vulnerability poses a risk to the integrity and reliability of their blockchain applications. Unauthorized or unintended state changes in smart contracts can lead to financial discrepancies, loss of trust, and potential exploitation in decentralized finance (DeFi) applications, supply chain tracking, or other blockchain-based services. Given the immutable nature of blockchain transactions, such state inconsistencies could have long-lasting effects, complicating dispute resolution and auditing. Additionally, organizations relying on Elrond for critical infrastructure or data integrity may face operational disruptions. Although no exploits are currently known, the vulnerability's presence increases the attack surface for adversaries aiming to manipulate contract states covertly. This could undermine confidence in blockchain solutions and impact regulatory compliance, especially in sectors with stringent data integrity requirements such as finance, healthcare, and public services within Europe.

The primary and most effective mitigation is to upgrade all instances of elrond-go to version 1.3.35 or later, where the vulnerability has been patched. Organizations should implement strict version control and continuous monitoring to ensure no outdated versions remain in production or testing environments. Additionally, smart contract developers should conduct thorough code reviews and implement additional state validation checks within contracts to detect unexpected state changes, especially when interacting with external contracts in read-only mode. Deploying comprehensive logging and monitoring of contract interactions can help identify anomalous behavior indicative of exploitation attempts. Where possible, organizations should isolate critical contracts and limit cross-contract calls to trusted contracts only. Finally, educating developers and blockchain administrators about this vulnerability and its implications will help prevent inadvertent exposure.