CVE-2025-54429 is a medium-severity vulnerability affecting the Polkadot Frontier project, which serves as an Ethereum Virtual Machine (EVM) compatibility layer for the Polkadot and Substrate ecosystems. The vulnerability arises from an incorrect type conversion or cast (CWE-704) in the handling of account address types within Frontier. Specifically, Frontier distinguishes between various account types such as precompiled contracts, smart contracts, and externally owned accounts (EOAs). For security reasons, certain EVM mechanisms should be inaccessible to specific account types. Precompiled contracts intended to be callable by smart contracts must be explicitly marked as CallableByContract. However, prior to commit 0822030, the implementation incorrectly identified contract addresses created via the CREATE or CREATE2 opcodes as EOAs rather than as contracts. This misclassification could lead to unintended accessibility of precompiles that rely on differentiating between EOAs and contracts, but only for custom precompile implementations that use these address type distinctions. Importantly, none of the predefined precompiles in Frontier are directly exploitable via this flaw. The vulnerability is fixed in version 0822030 of Frontier. The CVSS 4.0 base score is 6.9, reflecting a network-exploitable issue with no required privileges or user interaction, and limited impact on integrity. No known exploits are currently observed in the wild. This vulnerability is primarily relevant to developers and operators who deploy custom precompiles leveraging address type checks within Polkadot Frontier versions prior to 0822030.

For European organizations utilizing Polkadot or Substrate-based blockchain solutions with the Frontier EVM compatibility layer, this vulnerability could lead to unintended execution paths in custom precompiled contracts. While the predefined precompiles are not affected, organizations that develop or deploy custom precompiles relying on address type distinctions may face risks of unauthorized contract calls or bypassing intended access controls. This could compromise the integrity of smart contract operations, potentially leading to logic errors or unauthorized asset transfers within blockchain applications. Given the growing adoption of blockchain technologies in Europe for finance, supply chain, and decentralized applications, such vulnerabilities could undermine trust and operational stability. However, the impact is limited to those using vulnerable versions and custom precompiles, reducing the overall risk surface. The lack of known exploits and the medium severity rating suggest a moderate but non-negligible threat to blockchain-based services in Europe.

European organizations should promptly upgrade their Polkadot Frontier deployments to version 0822030 or later to incorporate the fix for this vulnerability. For teams developing custom precompiles, a thorough code audit should be conducted to verify correct usage of AddressType distinctions, ensuring that contract addresses created via CREATE and CREATE2 are properly identified as contracts rather than EOAs. Additionally, implement rigorous testing of precompile accessibility rules to prevent unintended invocation paths. Organizations should also monitor their blockchain nodes and smart contract interactions for anomalous behavior indicative of exploitation attempts. Employing runtime monitoring and alerting on contract calls that violate expected address type constraints can provide early detection. Finally, maintain close alignment with Polkadot and Substrate community advisories and security updates to stay informed of related vulnerabilities and patches.